10404
6675
#: serverguide/C/network-config.xml:34(para)
10406
"Most Ethernet configuration is centralized in a single file, "
10407
"<filename>/etc/network/interfaces</filename>. If you have no Ethernet "
10408
"devices, only the loopback interface will appear in this file, and it will "
10409
"look something like this:"
6676
msgid "Most Ethernet configuration is centralized in a single file, <filename>/etc/network/interfaces</filename>. If you have no Ethernet devices, only the loopback interface will appear in this file, and it will look something like this:"
10412
6679
#: serverguide/C/network-config.xml:40(programlisting)
10416
"# This file describes the network interfaces available on your system\n"
10417
"# and how to activate them. For more information, see interfaces(5).\n"
10419
"# The loopback network interface\n"
10421
"iface lo inet loopback\n"
10422
"address 127.0.0.1\n"
10423
"netmask 255.0.0.0\n"
6681
msgid "\n# This file describes the network interfaces available on your system\n# and how to activate them. For more information, see interfaces(5).\n\n# The loopback network interface\nauto lo\niface lo inet loopback\naddress 127.0.0.1\nnetmask 255.0.0.0\n"
10426
6684
#: serverguide/C/network-config.xml:50(para)
10428
"If you have only one Ethernet device, eth0, and it gets its configuration "
10429
"from a DHCP server, and it should come up automatically at boot, only two "
10430
"additional lines are required:"
6685
msgid "If you have only one Ethernet device, eth0, and it gets its configuration from a DHCP server, and it should come up automatically at boot, only two additional lines are required:"
10433
6688
#: serverguide/C/network-config.xml:55(programlisting)
10438
"iface eth0 inet dhcp\n"
6690
msgid "\nauto eth0\niface eth0 inet dhcp\n"
10441
6693
#: serverguide/C/network-config.xml:59(para)
10443
"The first line specifies that the eth0 device should come up automatically "
10444
"when you boot. The second line means that interface (<quote>iface</quote>) "
10445
"eth0 should have an IPv4 address space (replace <quote>inet</quote> with "
10446
"<quote>inet6</quote> for an IPv6 device) and that it should get its "
10447
"configuration automatically from DHCP. Assuming your network and DHCP server "
10448
"are properly configured, this machine's network should need no further "
10449
"configuration to operate properly. The DHCP server will provide the default "
10450
"gateway (implemented via the <application>route</application> command), the "
10451
"device's IP address (implemented via the <application>ifconfig</application> "
10452
"command), and DNS servers used on the network (implemented in the "
10453
"<filename>/etc/resolv.conf</filename> file.)"
6694
msgid "The first line specifies that the eth0 device should come up automatically when you boot. The second line means that interface (<quote>iface</quote>) eth0 should have an IPv4 address space (replace <quote>inet</quote> with <quote>inet6</quote> for an IPv6 device) and that it should get its configuration automatically from DHCP. Assuming your network and DHCP server are properly configured, this machine's network should need no further configuration to operate properly. The DHCP server will provide the default gateway (implemented via the <application>route</application> command), the device's IP address (implemented via the <application>ifconfig</application> command), and DNS servers used on the network (implemented in the <filename>/etc/resolv.conf</filename> file.)"
10456
6697
#: serverguide/C/network-config.xml:72(para)
10458
"To configure your Ethernet device with a static IP address and custom "
10459
"configuration, some more information will be required. Suppose you want to "
10460
"assign the IP address 192.168.0.2 to the device eth1, with the typical "
10461
"netmask of 255.255.255.0. Your default gateway's IP address is 192.168.0.1. "
10462
"You would enter something like this into "
10463
"<filename>/etc/network/interfaces</filename>:"
6698
msgid "To configure your Ethernet device with a static IP address and custom configuration, some more information will be required. Suppose you want to assign the IP address 192.168.0.2 to the device eth1, with the typical netmask of 255.255.255.0. Your default gateway's IP address is 192.168.0.1. You would enter something like this into <filename>/etc/network/interfaces</filename>:"
10466
6701
#: serverguide/C/network-config.xml:79(programlisting)
10470
"iface eth1 inet static\n"
10471
"\taddress 192.168.0.2\n"
10472
"\tnetmask 255.255.255.0\n"
10473
"\tgateway 192.168.0.1\n"
10476
#: serverguide/C/network-config.xml:85(para)
10478
"In this case, you will need to specify your DNS servers manually in "
10479
"<filename>/etc/resolv.conf</filename>, which should look something like this:"
10482
#: serverguide/C/network-config.xml:89(programlisting)
6703
msgid "\nauto eth1\niface eth1 inet static\n\taddress 192.168.0.2\n\tnetmask 255.255.255.0\n\tgateway 192.168.0.1\n"
6706
#: serverguide/C/network-config.xml:86(para)
6707
msgid "In this case, you will need to specify your DNS servers manually in <filename>/etc/resolv.conf</filename>, which should look something like this:"
6710
#: serverguide/C/network-config.xml:90(programlisting)
10486
"search mydomain.example\n"
10487
"nameserver 192.168.0.1\n"
10488
"nameserver 4.2.2.2\n"
10491
#: serverguide/C/network-config.xml:94(para)
10493
"The <emphasis role=\"italics\">search</emphasis> directive will append "
10494
"mydomain.example to hostname queries in an attempt to resolve names to your "
10495
"network. For example, if your network's domain is mydomain.example and you "
10496
"try to ping the host <quote>mybox</quote>, the DNS query will be modified to "
10497
"<quote>mybox.mydomain.example</quote> for resolution. The <emphasis "
10498
"role=\"italics\">nameserver</emphasis> directives specify DNS servers to be "
10499
"used to resolve hostnames to IP addresses. If you use your own nameserver, "
10500
"enter it here. Otherwise, ask your Internet Service Provider for the primary "
10501
"and secondary DNS servers to use, and enter them into "
10502
"<filename>/etc/resolv.conf</filename> as shown above."
10505
#: serverguide/C/network-config.xml:106(para)
10507
"Many more configurations are possible, including dialup PPP interfaces, IPv6 "
10508
"networking, VPN devices, etc. Refer to <application>man 5 "
10509
"interfaces</application> for more information and supported options. "
10510
"Remember that <filename>/etc/network/interfaces</filename> is used by the "
10511
"<application>ifup</application>/<application>ifdown</application> scripts as "
10512
"a higher level configuration scheme than may be used in some other Linux "
10513
"distributions, and that the traditional, lower level utilities such as "
10514
"<application>ifconfig</application>, <application>route</application>, and "
10515
"<application>dhclient</application> are still available to you for ad hoc "
10519
#: serverguide/C/network-config.xml:120(title)
6712
msgid "\nsearch mydomain.example\nnameserver 192.168.0.1\nnameserver 4.2.2.2\n"
6715
#: serverguide/C/network-config.xml:95(para)
6716
msgid "The <emphasis role=\"italics\">search</emphasis> directive will append mydomain.example to hostname queries in an attempt to resolve names to your network. For example, if your network's domain is mydomain.example and you try to ping the host <quote>mybox</quote>, the DNS query will be modified to <quote>mybox.mydomain.example</quote> for resolution. The <emphasis role=\"italics\">nameserver</emphasis> directives specify DNS servers to be used to resolve hostnames to IP addresses. If you use your own nameserver, enter it here. Otherwise, ask your Internet Service Provider for the primary and secondary DNS servers to use, and enter them into <filename>/etc/resolv.conf</filename> as shown above."
6719
#: serverguide/C/network-config.xml:107(para)
6720
msgid "Many more configurations are possible, including dialup PPP interfaces, IPv6 networking, VPN devices, etc. Refer to <application>man 5 interfaces</application> for more information and supported options. Remember that <filename>/etc/network/interfaces</filename> is used by the <application>ifup</application>/<application>ifdown</application> scripts as a higher level configuration scheme than may be used in some other Linux distributions, and that the traditional, lower level utilities such as <application>ifconfig</application>, <application>route</application>, and <application>dhclient</application> are still available to you for ad hoc configurations."
6723
#: serverguide/C/network-config.xml:121(title)
10520
6724
msgid "Managing DNS Entries"
10523
#: serverguide/C/network-config.xml:121(para)
10525
"This section explains how to configure which nameserver to use when "
10526
"resolving IP addresses to hostnames and vice versa. It does not explain how "
10527
"to configure the system as a name server."
10530
#: serverguide/C/network-config.xml:126(para)
10532
"To manage DNS entries, you can add, edit, or remove DNS names from the "
10533
"<filename>/etc/resolv.conf</filename> file. A sample file is given below:"
10536
#: serverguide/C/network-config.xml:130(programlisting)
6727
#: serverguide/C/network-config.xml:122(para)
6728
msgid "This section explains how to configure which nameserver to use when resolving IP addresses to hostnames and vice versa. It does not explain how to configure the system as a name server."
6731
#: serverguide/C/network-config.xml:127(para)
6732
msgid "To manage DNS entries, you can add, edit, or remove DNS names from the <filename>/etc/resolv.conf</filename> file. A sample file is given below:"
6735
#: serverguide/C/network-config.xml:131(programlisting)
10541
"nameserver 204.11.126.131\n"
10542
"nameserver 64.125.134.133\n"
10543
"nameserver 64.125.134.132\n"
10544
"nameserver 208.185.179.218\n"
10547
#: serverguide/C/network-config.xml:138(para)
10549
"The <application>search</application> key specifies the string which will be "
10550
"appended to an incomplete hostname. Here, we have configured it to "
10551
"<application>com</application>. So, when we run: <command>ping "
10552
"ubuntu</command> it would be interpreted as <command>ping "
10553
"ubuntu.com</command>."
10556
#: serverguide/C/network-config.xml:146(para)
10558
"The <application>nameserver</application> key specifies the nameserver IP "
10559
"address. It will be used to resolve a given IP address or hostname. This "
10560
"file can have multiple nameserver entries. The nameservers will be used by "
10561
"the network query in the same order."
10564
#: serverguide/C/network-config.xml:155(para)
10566
"If the DNS server names are retrieved dynamically from DHCP or PPPoE "
10567
"(retrieved from your ISP), do not add nameserver entries in this file. It "
10568
"will be overwritten."
10571
#: serverguide/C/network-config.xml:164(title)
6737
msgid "\nsearch com\nnameserver 204.11.126.131\nnameserver 64.125.134.133\nnameserver 64.125.134.132\nnameserver 208.185.179.218\n"
6740
#: serverguide/C/network-config.xml:139(para)
6741
msgid "The <application>search</application> key specifies the string which will be appended to an incomplete hostname. Here, we have configured it to <application>com</application>. So, when we run: <command>ping ubuntu</command> it would be interpreted as <command>ping ubuntu.com</command>."
6744
#: serverguide/C/network-config.xml:147(para)
6745
msgid "The <application>nameserver</application> key specifies the nameserver IP address. It will be used to resolve a given IP address or hostname. This file can have multiple nameserver entries. The nameservers will be used by the network query in the same order."
6748
#: serverguide/C/network-config.xml:156(para)
6749
msgid "If the DNS server names are retrieved dynamically from DHCP or PPPoE (retrieved from your ISP), do not add nameserver entries in this file. It will be overwritten."
6752
#: serverguide/C/network-config.xml:165(title)
10572
6753
msgid "Managing Hosts"
10575
#: serverguide/C/network-config.xml:165(para)
10577
"To manage hosts, you can add, edit, or remove hosts from "
10578
"<filename>/etc/hosts</filename> file. The file contains IP addresses and "
10579
"their corresponding hostnames. When your system tries to resolve a hostname "
10580
"to an IP address or determine the hostname for an IP address, it refers to "
10581
"the <filename>/etc/hosts</filename> file before using the name servers. If "
10582
"the IP address is listed in the <filename>/etc/hosts</filename> file, the "
10583
"name servers are not used. This behavior can be modified by editing "
10584
"<filename>/etc/nsswitch.conf</filename> at your peril."
10587
#: serverguide/C/network-config.xml:178(para)
10589
"If your network contains computers whose IP addresses are not listed in DNS, "
10590
"it is recommended that you add them to the <filename>/etc/hosts</filename> "
10594
#: serverguide/C/network-config.xml:186(title)
6756
#: serverguide/C/network-config.xml:166(para)
6757
msgid "To manage hosts, you can add, edit, or remove hosts from <filename>/etc/hosts</filename> file. The file contains IP addresses and their corresponding hostnames. When your system tries to resolve a hostname to an IP address or determine the hostname for an IP address, it refers to the <filename>/etc/hosts</filename> file before using the name servers. If the IP address is listed in the <filename>/etc/hosts</filename> file, the name servers are not used. This behavior can be modified by editing <filename>/etc/nsswitch.conf</filename> at your peril."
6760
#: serverguide/C/network-config.xml:179(para)
6761
msgid "If your network contains computers whose IP addresses are not listed in DNS, it is recommended that you add them to the <filename>/etc/hosts</filename> file."
6764
#: serverguide/C/network-config.xml:187(title)
10595
6765
msgid "Bridging"
10598
#: serverguide/C/network-config.xml:188(para)
10600
"Bridging multiple interfaces is a more advanced configuration, but is very "
10601
"useful in multiple scenarios. One scenario is setting up a bridge with "
10602
"multiple network interfaces, then using a firewall to filter traffic between "
10603
"two network segments. Another scenario is using bridge on a system with one "
10604
"interface to allow virtual machines direct access to the outside network. "
10605
"The following example covers the latter scenario."
10608
#: serverguide/C/network-config.xml:195(para)
10610
"Before configuring a bridge you will need to install the <application>bridge-"
10611
"utils</application> package. To install the package, in a terminal enter:"
10614
#: serverguide/C/network-config.xml:201(command)
6768
#: serverguide/C/network-config.xml:189(para)
6769
msgid "Bridging multiple interfaces is a more advanced configuration, but is very useful in multiple scenarios. One scenario is setting up a bridge with multiple network interfaces, then using a firewall to filter traffic between two network segments. Another scenario is using bridge on a system with one interface to allow virtual machines direct access to the outside network. The following example covers the latter scenario."
6772
#: serverguide/C/network-config.xml:196(para)
6773
msgid "Before configuring a bridge you will need to install the <application>bridge-utils</application> package. To install the package, in a terminal enter:"
6776
#: serverguide/C/network-config.xml:202(command)
10615
6777
msgid "sudo apt-get install bridge-utils"
10618
#: serverguide/C/network-config.xml:204(para)
10620
"Next, configure the bridge by editing "
10621
"<filename>/etc/network/interfaces</filename>:"
6780
#: serverguide/C/network-config.xml:205(para)
6781
msgid "Next, configure the bridge by editing <filename>/etc/network/interfaces</filename>:"
10624
#: serverguide/C/network-config.xml:208(programlisting)
6784
#: serverguide/C/network-config.xml:209(programlisting)
10629
"iface lo inet loopback\n"
10632
"iface br0 inet static\n"
10633
" address 192.168.0.10\n"
10634
" network 192.168.0.0\n"
10635
" netmask 255.255.255.0\n"
10636
" broadcast 192.168.0.255\n"
10637
" gateway 192.168.0.1\n"
10638
" bridge_ports eth0\n"
10640
" bridge_hello 2\n"
10641
" bridge_maxage 12\n"
10642
" bridge_stp off\n"
6786
msgid "\nauto lo\niface lo inet loopback\n\nauto br0\niface br0 inet static\n address 192.168.0.10\n network 192.168.0.0\n netmask 255.255.255.0\n broadcast 192.168.0.255\n gateway 192.168.0.1\n bridge_ports eth0\n bridge_fd 9\n bridge_hello 2\n bridge_maxage 12\n bridge_stp off\n"
10645
#: serverguide/C/network-config.xml:227(para)
6789
#: serverguide/C/network-config.xml:228(para)
10646
6790
msgid "Enter the appropriate values for your physical interface and network."
10649
#: serverguide/C/network-config.xml:232(para)
6793
#: serverguide/C/network-config.xml:233(para)
10650
6794
msgid "Now restart networking to enable the bridge interface:"
10653
#: serverguide/C/network-config.xml:239(para)
10655
"The new bridge interface should now be up and running. The "
10656
"<application>brctl</application> provides useful information about the state "
10657
"of the bridge, controls which interfaces are part of the bridge, etc. See "
10658
"<command>man brctl</command> for more information."
10661
#: serverguide/C/network-config.xml:255(para)
10664
"url=\"http://manpages.ubuntu.com/manpages/karmic/en/man5/interfaces.5.html\">"
10665
"interfaces man page</ulink> has details on more options for "
10666
"<filename>/etc/network/interfaces</filename>."
10669
#: serverguide/C/network-config.xml:261(para)
10671
"For more information on DNS client configuration see the <ulink "
10672
"url=\"http://manpages.ubuntu.com/manpages/jaunty/en/man5/resolver.5.html\">re"
10673
"solver man page</ulink>. Also, Chapter 6 of O'Reilly's <ulink "
10674
"url=\"http://oreilly.com/catalog/linag2/book/ch06.html\">Linux Network "
10675
"Administrator's Guide</ulink> is a good source of resolver and name service "
10676
"configuration information."
10679
#: serverguide/C/network-config.xml:269(para)
10681
"For more information on <emphasis>bridging</emphasis> see the <ulink "
10682
"url=\"http://manpages.ubuntu.com/manpages/jaunty/en/man8/brctl.8.html\">brctl"
10683
" man page</ulink> and the Linux Foundation's <ulink "
10684
"url=\"http://www.linuxfoundation.org/en/Net:Bridge\">Net:Bridge</ulink> page."
10687
#: serverguide/C/network-config.xml:280(title)
6797
#: serverguide/C/network-config.xml:240(para)
6798
msgid "The new bridge interface should now be up and running. The <application>brctl</application> provides useful information about the state of the bridge, controls which interfaces are part of the bridge, etc. See <command>man brctl</command> for more information."
6801
#: serverguide/C/network-config.xml:256(para)
6802
msgid "The <ulink url=\"http://manpages.ubuntu.com/manpages/lucid/en/man5/interfaces.5.html\">interfaces man page</ulink> has details on more options for <filename>/etc/network/interfaces</filename>."
6805
#: serverguide/C/network-config.xml:262(para)
6806
msgid "For more information on DNS client configuration see the <ulink url=\"http://manpages.ubuntu.com/manpages/jaunty/en/man5/resolver.5.html\">resolver man page</ulink>. Also, Chapter 6 of O'Reilly's <ulink url=\"http://oreilly.com/catalog/linag2/book/ch06.html\">Linux Network Administrator's Guide</ulink> is a good source of resolver and name service configuration information."
6809
#: serverguide/C/network-config.xml:270(para)
6810
msgid "For more information on <emphasis>bridging</emphasis> see the <ulink url=\"http://manpages.ubuntu.com/manpages/jaunty/en/man8/brctl.8.html\">brctl man page</ulink> and the Linux Foundation's <ulink url=\"http://www.linuxfoundation.org/en/Net:Bridge\">Net:Bridge</ulink> page."
6813
#: serverguide/C/network-config.xml:281(title)
10688
6814
msgid "TCP/IP"
10691
#: serverguide/C/network-config.xml:281(para)
10693
"The Transmission Control Protocol and Internet Protocol (TCP/IP) is a "
10694
"standard set of protocols developed in the late 1970s by the Defense "
10695
"Advanced Research Projects Agency (DARPA) as a means of communication "
10696
"between different types of computers and computer networks. TCP/IP is the "
10697
"driving force of the Internet, and thus it is the most popular set of "
10698
"network protocols on Earth."
6817
#: serverguide/C/network-config.xml:282(para)
6818
msgid "The Transmission Control Protocol and Internet Protocol (TCP/IP) is a standard set of protocols developed in the late 1970s by the Defense Advanced Research Projects Agency (DARPA) as a means of communication between different types of computers and computer networks. TCP/IP is the driving force of the Internet, and thus it is the most popular set of network protocols on Earth."
10701
#: serverguide/C/network-config.xml:289(title)
6821
#: serverguide/C/network-config.xml:290(title)
10702
6822
msgid "TCP/IP Introduction"
10705
#: serverguide/C/network-config.xml:290(para)
10707
"The two protocol components of TCP/IP deal with different aspects of "
10708
"computer networking. <emphasis>Internet Protocol</emphasis>, the \"IP\" of "
10709
"TCP/IP is a connectionless protocol which deals only with network packet "
10710
"routing using the <emphasis role=\"italics\">IP Datagram</emphasis> as the "
10711
"basic unit of networking information. The IP Datagram consists of a header "
10712
"followed by a message. The <emphasis> Transmission Control "
10713
"Protocol</emphasis> is the \"TCP\" of TCP/IP and enables network hosts to "
10714
"establish connections which may be used to exchange data streams. TCP also "
10715
"guarantees that the data between connections is delivered and that it "
10716
"arrives at one network host in the same order as sent from another network "
6825
#: serverguide/C/network-config.xml:291(para)
6826
msgid "The two protocol components of TCP/IP deal with different aspects of computer networking. <emphasis>Internet Protocol</emphasis>, the \"IP\" of TCP/IP is a connectionless protocol which deals only with network packet routing using the <emphasis role=\"italics\">IP Datagram</emphasis> as the basic unit of networking information. The IP Datagram consists of a header followed by a message. The <emphasis> Transmission Control Protocol</emphasis> is the \"TCP\" of TCP/IP and enables network hosts to establish connections which may be used to exchange data streams. TCP also guarantees that the data between connections is delivered and that it arrives at one network host in the same order as sent from another network host."
10720
#: serverguide/C/network-config.xml:303(title)
6829
#: serverguide/C/network-config.xml:304(title)
10721
6830
msgid "TCP/IP Configuration"
10724
#: serverguide/C/network-config.xml:304(para)
10726
"The TCP/IP protocol configuration consists of several elements which must be "
10727
"set by editing the appropriate configuration files, or deploying solutions "
10728
"such as the Dynamic Host Configuration Protocol (DHCP) server which in turn, "
10729
"can be configured to provide the proper TCP/IP configuration settings to "
10730
"network clients automatically. These configuration values must be set "
10731
"correctly in order to facilitate the proper network operation of your Ubuntu "
10735
#: serverguide/C/network-config.xml:316(para)
10737
"<emphasis role=\"bold\">IP address</emphasis> The IP address is a unique "
10738
"identifying string expressed as four decimal numbers ranging from zero (0) "
10739
"to two-hundred and fifty-five (255), separated by periods, with each of the "
10740
"four numbers representing eight (8) bits of the address for a total length "
10741
"of thirty-two (32) bits for the whole address. This format is called "
10742
"<emphasis>dotted quad notation</emphasis>."
10745
#: serverguide/C/network-config.xml:326(para)
10747
"<emphasis role=\"bold\">Netmask</emphasis> The Subnet Mask (or simply, "
10748
"<emphasis>netmask</emphasis>) is a local bit mask, or set of flags which "
10749
"separate the portions of an IP address significant to the network from the "
10750
"bits significant to the <emphasis>subnetwork</emphasis>. For example, in a "
10751
"Class C network, the standard netmask is 255.255.255.0 which masks the first "
10752
"three bytes of the IP address and allows the last byte of the IP address to "
10753
"remain available for specifying hosts on the subnetwork."
10756
#: serverguide/C/network-config.xml:337(para)
10758
"<emphasis role=\"bold\">Network Address</emphasis> The Network Address "
10759
"represents the bytes comprising the network portion of an IP address. For "
10760
"example, the host 12.128.1.2 in a Class A network would use 12.0.0.0 as the "
10761
"network address, where twelve (12) represents the first byte of the IP "
10762
"address, (the network part) and zeroes (0) in all of the remaining three "
10763
"bytes to represent the potential host values. A network host using the "
10764
"private IP address 192.168.1.100 would in turn use a Network Address of "
10765
"192.168.1.0, which specifies the first three bytes of the Class C 192.168.1 "
10766
"network and a zero (0) for all the possible hosts on the network."
10769
#: serverguide/C/network-config.xml:350(para)
10771
"<emphasis role=\"bold\">Broadcast Address</emphasis> The Broadcast Address "
10772
"is an IP address which allows network data to be sent simultaneously to all "
10773
"hosts on a given subnetwork rather than specifying a particular host. The "
10774
"standard general broadcast address for IP networks is 255.255.255.255, but "
10775
"this broadcast address cannot be used to send a broadcast message to every "
10776
"host on the Internet because routers block it. A more appropriate broadcast "
10777
"address is set to match a specific subnetwork. For example, on the private "
10778
"Class C IP network, 192.168.1.0, the broadcast address is 192.168.1.255. "
10779
"Broadcast messages are typically produced by network protocols such as the "
10780
"Address Resolution Protocol (ARP) and the Routing Information Protocol (RIP)."
10783
#: serverguide/C/network-config.xml:363(para)
10785
"<emphasis role=\"bold\">Gateway Address</emphasis> A Gateway Address is the "
10786
"IP address through which a particular network, or host on a network, may be "
10787
"reached. If one network host wishes to communicate with another network "
10788
"host, and that host is not located on the same network, then a "
10789
"<emphasis>gateway</emphasis> must be used. In many cases, the Gateway "
10790
"Address will be that of a router on the same network, which will in turn "
10791
"pass traffic on to other networks or hosts, such as Internet hosts. The "
10792
"value of the Gateway Address setting must be correct, or your system will "
10793
"not be able to reach any hosts beyond those on the same network."
10796
#: serverguide/C/network-config.xml:374(para)
10798
"<emphasis role=\"bold\">Nameserver Address</emphasis> Nameserver Addresses "
10799
"represent the IP addresses of Domain Name Service (DNS) systems, which "
10800
"resolve network hostnames into IP addresses. There are three levels of "
10801
"Nameserver Addresses, which may be specified in order of precedence: The "
10802
"<emphasis>Primary</emphasis> Nameserver, the <emphasis>Secondary</emphasis> "
10803
"Nameserver, and the <emphasis>Tertiary</emphasis> Nameserver. In order for "
10804
"your system to be able to resolve network hostnames into their corresponding "
10805
"IP addresses, you must specify valid Nameserver Addresses which you are "
10806
"authorized to use in your system's TCP/IP configuration. In many cases these "
10807
"addresses can and will be provided by your network service provider, but "
10808
"many free and publicly accessible nameservers are available for use, such as "
10809
"the Level3 (Verizon) servers with IP addresses from 4.2.2.1 to 4.2.2.6."
10812
#: serverguide/C/network-config.xml:388(para)
10814
"The IP address, Netmask, Network Address, Broadcast Address, and Gateway "
10815
"Address are typically specified via the appropriate directives in the file "
10816
"<filename>/etc/network/interfaces</filename>. The Nameserver Addresses are "
10817
"typically specified via <emphasis>nameserver</emphasis> directives in the "
10818
"file <filename>/etc/resolv.conf</filename>. For more information, view the "
10819
"system manual page for <filename>interfaces</filename> or "
10820
"<filename>resolv.conf</filename> respectively, with the following commands "
10821
"typed at a terminal prompt:"
10824
#: serverguide/C/network-config.xml:395(para)
10826
"Access the system manual page for <filename>interfaces</filename> with the "
10827
"following command:"
10830
#: serverguide/C/network-config.xml:400(command)
6833
#: serverguide/C/network-config.xml:305(para)
6834
msgid "The TCP/IP protocol configuration consists of several elements which must be set by editing the appropriate configuration files, or deploying solutions such as the Dynamic Host Configuration Protocol (DHCP) server which in turn, can be configured to provide the proper TCP/IP configuration settings to network clients automatically. These configuration values must be set correctly in order to facilitate the proper network operation of your Ubuntu system."
6837
#: serverguide/C/network-config.xml:317(para)
6838
msgid "<emphasis role=\"bold\">IP address</emphasis> The IP address is a unique identifying string expressed as four decimal numbers ranging from zero (0) to two-hundred and fifty-five (255), separated by periods, with each of the four numbers representing eight (8) bits of the address for a total length of thirty-two (32) bits for the whole address. This format is called <emphasis>dotted quad notation</emphasis>."
6841
#: serverguide/C/network-config.xml:327(para)
6842
msgid "<emphasis role=\"bold\">Netmask</emphasis> The Subnet Mask (or simply, <emphasis>netmask</emphasis>) is a local bit mask, or set of flags which separate the portions of an IP address significant to the network from the bits significant to the <emphasis>subnetwork</emphasis>. For example, in a Class C network, the standard netmask is 255.255.255.0 which masks the first three bytes of the IP address and allows the last byte of the IP address to remain available for specifying hosts on the subnetwork."
6845
#: serverguide/C/network-config.xml:338(para)
6846
msgid "<emphasis role=\"bold\">Network Address</emphasis> The Network Address represents the bytes comprising the network portion of an IP address. For example, the host 12.128.1.2 in a Class A network would use 12.0.0.0 as the network address, where twelve (12) represents the first byte of the IP address, (the network part) and zeroes (0) in all of the remaining three bytes to represent the potential host values. A network host using the private IP address 192.168.1.100 would in turn use a Network Address of 192.168.1.0, which specifies the first three bytes of the Class C 192.168.1 network and a zero (0) for all the possible hosts on the network."
6849
#: serverguide/C/network-config.xml:351(para)
6850
msgid "<emphasis role=\"bold\">Broadcast Address</emphasis> The Broadcast Address is an IP address which allows network data to be sent simultaneously to all hosts on a given subnetwork rather than specifying a particular host. The standard general broadcast address for IP networks is 255.255.255.255, but this broadcast address cannot be used to send a broadcast message to every host on the Internet because routers block it. A more appropriate broadcast address is set to match a specific subnetwork. For example, on the private Class C IP network, 192.168.1.0, the broadcast address is 192.168.1.255. Broadcast messages are typically produced by network protocols such as the Address Resolution Protocol (ARP) and the Routing Information Protocol (RIP)."
6853
#: serverguide/C/network-config.xml:364(para)
6854
msgid "<emphasis role=\"bold\">Gateway Address</emphasis> A Gateway Address is the IP address through which a particular network, or host on a network, may be reached. If one network host wishes to communicate with another network host, and that host is not located on the same network, then a <emphasis>gateway</emphasis> must be used. In many cases, the Gateway Address will be that of a router on the same network, which will in turn pass traffic on to other networks or hosts, such as Internet hosts. The value of the Gateway Address setting must be correct, or your system will not be able to reach any hosts beyond those on the same network."
6857
#: serverguide/C/network-config.xml:375(para)
6858
msgid "<emphasis role=\"bold\">Nameserver Address</emphasis> Nameserver Addresses represent the IP addresses of Domain Name Service (DNS) systems, which resolve network hostnames into IP addresses. There are three levels of Nameserver Addresses, which may be specified in order of precedence: The <emphasis>Primary</emphasis> Nameserver, the <emphasis>Secondary</emphasis> Nameserver, and the <emphasis>Tertiary</emphasis> Nameserver. In order for your system to be able to resolve network hostnames into their corresponding IP addresses, you must specify valid Nameserver Addresses which you are authorized to use in your system's TCP/IP configuration. In many cases these addresses can and will be provided by your network service provider, but many free and publicly accessible nameservers are available for use, such as the Level3 (Verizon) servers with IP addresses from 4.2.2.1 to 4.2.2.6."
6861
#: serverguide/C/network-config.xml:389(para)
6862
msgid "The IP address, Netmask, Network Address, Broadcast Address, and Gateway Address are typically specified via the appropriate directives in the file <filename>/etc/network/interfaces</filename>. The Nameserver Addresses are typically specified via <emphasis>nameserver</emphasis> directives in the file <filename>/etc/resolv.conf</filename>. For more information, view the system manual page for <filename>interfaces</filename> or <filename>resolv.conf</filename> respectively, with the following commands typed at a terminal prompt:"
6865
#: serverguide/C/network-config.xml:396(para)
6866
msgid "Access the system manual page for <filename>interfaces</filename> with the following command:"
6869
#: serverguide/C/network-config.xml:401(command)
10831
6870
msgid "man interfaces"
10834
#: serverguide/C/network-config.xml:403(para)
10836
"Access the system manual page for <filename>resolv.conf</filename> with the "
10837
"following command:"
6873
#: serverguide/C/network-config.xml:404(para)
6874
msgid "Access the system manual page for <filename>resolv.conf</filename> with the following command:"
10840
#: serverguide/C/network-config.xml:407(command)
6877
#: serverguide/C/network-config.xml:408(command)
10841
6878
msgid "man resolv.conf"
10844
#: serverguide/C/network-config.xml:312(para)
10846
"The common configuration elements of TCP/IP and their purposes are as "
10847
"follows: <placeholder-1/>"
6881
#: serverguide/C/network-config.xml:313(para)
6882
msgid "The common configuration elements of TCP/IP and their purposes are as follows: <placeholder-1/>"
10850
#: serverguide/C/network-config.xml:414(title)
6885
#: serverguide/C/network-config.xml:415(title)
10851
6886
msgid "IP Routing"
10854
#: serverguide/C/network-config.xml:415(para)
10856
"IP routing is a means of specifying and discovering paths in a TCP/IP "
10857
"network along which network data may be sent. Routing uses a set of "
10858
"<emphasis>routing tables</emphasis> to direct the forwarding of network data "
10859
"packets from their source to the destination, often via many intermediary "
10860
"network nodes known as <emphasis>routers</emphasis>. There are two primary "
10861
"forms of IP routing: <emphasis>Static Routing</emphasis> and "
10862
"<emphasis>Dynamic Routing.</emphasis>"
10865
#: serverguide/C/network-config.xml:424(para)
10867
"Static routing involves manually adding IP routes to the system's routing "
10868
"table, and this is usually done by manipulating the routing table with the "
10869
"<application>route</application> command. Static routing enjoys many "
10870
"advantages over dynamic routing, such as simplicity of implementation on "
10871
"smaller networks, predictability (the routing table is always computed in "
10872
"advance, and thus the route is precisely the same each time it is used), and "
10873
"low overhead on other routers and network links due to the lack of a dynamic "
10874
"routing protocol. However, static routing does present some disadvantages as "
10875
"well. For example, static routing is limited to small networks and does not "
10876
"scale well. Static routing also fails completely to adapt to network outages "
10877
"and failures along the route due to the fixed nature of the route."
10880
#: serverguide/C/network-config.xml:434(para)
10882
"Dynamic routing depends on large networks with multiple possible IP routes "
10883
"from a source to a destination and makes use of special routing protocols, "
10884
"such as the Router Information Protocol (RIP), which handle the automatic "
10885
"adjustments in routing tables that make dynamic routing possible. Dynamic "
10886
"routing has several advantages over static routing, such as superior "
10887
"scalability and the ability to adapt to failures and outages along network "
10888
"routes. Additionally, there is less manual configuration of the routing "
10889
"tables, since routers learn from one another about their existence and "
10890
"available routes. This trait also eliminates the possibility of introducing "
10891
"mistakes in the routing tables via human error. Dynamic routing is not "
10892
"perfect, however, and presents disadvantages such as heightened complexity "
10893
"and additional network overhead from router communications, which does not "
10894
"immediately benefit the end users, but still consumes network bandwidth."
10897
#: serverguide/C/network-config.xml:448(title)
6889
#: serverguide/C/network-config.xml:416(para)
6890
msgid "IP routing is a means of specifying and discovering paths in a TCP/IP network along which network data may be sent. Routing uses a set of <emphasis>routing tables</emphasis> to direct the forwarding of network data packets from their source to the destination, often via many intermediary network nodes known as <emphasis>routers</emphasis>. There are two primary forms of IP routing: <emphasis>Static Routing</emphasis> and <emphasis>Dynamic Routing.</emphasis>"
6893
#: serverguide/C/network-config.xml:425(para)
6894
msgid "Static routing involves manually adding IP routes to the system's routing table, and this is usually done by manipulating the routing table with the <application>route</application> command. Static routing enjoys many advantages over dynamic routing, such as simplicity of implementation on smaller networks, predictability (the routing table is always computed in advance, and thus the route is precisely the same each time it is used), and low overhead on other routers and network links due to the lack of a dynamic routing protocol. However, static routing does present some disadvantages as well. For example, static routing is limited to small networks and does not scale well. Static routing also fails completely to adapt to network outages and failures along the route due to the fixed nature of the route."
6897
#: serverguide/C/network-config.xml:435(para)
6898
msgid "Dynamic routing depends on large networks with multiple possible IP routes from a source to a destination and makes use of special routing protocols, such as the Router Information Protocol (RIP), which handle the automatic adjustments in routing tables that make dynamic routing possible. Dynamic routing has several advantages over static routing, such as superior scalability and the ability to adapt to failures and outages along network routes. Additionally, there is less manual configuration of the routing tables, since routers learn from one another about their existence and available routes. This trait also eliminates the possibility of introducing mistakes in the routing tables via human error. Dynamic routing is not perfect, however, and presents disadvantages such as heightened complexity and additional network overhead from router communications, which does not immediately benefit the end users, but still consumes network bandwidth."
6901
#: serverguide/C/network-config.xml:449(title)
10898
6902
msgid "TCP and UDP"
10901
#: serverguide/C/network-config.xml:449(para)
10903
"TCP is a connection-based protocol, offering error correction and guaranteed "
10904
"delivery of data via what is known as <emphasis>flow control</emphasis>. "
10905
"Flow control determines when the flow of a data stream needs to be stopped, "
10906
"and previously sent data packets should to be re-sent due to problems such "
10907
"as <emphasis>collisions</emphasis>, for example, thus ensuring complete and "
10908
"accurate delivery of the data. TCP is typically used in the exchange of "
10909
"important information such as database transactions."
10912
#: serverguide/C/network-config.xml:457(para)
10914
"The User Datagram Protocol (UDP), on the other hand, is a "
10915
"<emphasis>connectionless</emphasis> protocol which seldom deals with the "
10916
"transmission of important data because it lacks flow control or any other "
10917
"method to ensure reliable delivery of the data. UDP is commonly used in such "
10918
"applications as audio and video streaming, where it is considerably faster "
10919
"than TCP due to the lack of error correction and flow control, and where the "
10920
"loss of a few packets is not generally catastrophic."
10923
#: serverguide/C/network-config.xml:467(title)
6905
#: serverguide/C/network-config.xml:450(para)
6906
msgid "TCP is a connection-based protocol, offering error correction and guaranteed delivery of data via what is known as <emphasis>flow control</emphasis>. Flow control determines when the flow of a data stream needs to be stopped, and previously sent data packets should to be re-sent due to problems such as <emphasis>collisions</emphasis>, for example, thus ensuring complete and accurate delivery of the data. TCP is typically used in the exchange of important information such as database transactions."
6909
#: serverguide/C/network-config.xml:458(para)
6910
msgid "The User Datagram Protocol (UDP), on the other hand, is a <emphasis>connectionless</emphasis> protocol which seldom deals with the transmission of important data because it lacks flow control or any other method to ensure reliable delivery of the data. UDP is commonly used in such applications as audio and video streaming, where it is considerably faster than TCP due to the lack of error correction and flow control, and where the loss of a few packets is not generally catastrophic."
6913
#: serverguide/C/network-config.xml:468(title)
10927
#: serverguide/C/network-config.xml:468(para)
10929
"The Internet Control Messaging Protocol (ICMP) is an extension to the "
10930
"Internet Protocol (IP) as defined in the Request For Comments (RFC) #792 and "
10931
"supports network packets containing control, error, and informational "
10932
"messages. ICMP is used by such network applications as the "
10933
"<application>ping</application> utility, which can determine the "
10934
"availability of a network host or device. Examples of some error messages "
10935
"returned by ICMP which are useful to both network hosts and devices such as "
10936
"routers, include <emphasis>Destination Unreachable</emphasis> and "
10937
"<emphasis>Time Exceeded</emphasis>."
6917
#: serverguide/C/network-config.xml:469(para)
6918
msgid "The Internet Control Messaging Protocol (ICMP) is an extension to the Internet Protocol (IP) as defined in the Request For Comments (RFC) #792 and supports network packets containing control, error, and informational messages. ICMP is used by such network applications as the <application>ping</application> utility, which can determine the availability of a network host or device. Examples of some error messages returned by ICMP which are useful to both network hosts and devices such as routers, include <emphasis>Destination Unreachable</emphasis> and <emphasis>Time Exceeded</emphasis>."
10940
#: serverguide/C/network-config.xml:478(title)
6921
#: serverguide/C/network-config.xml:479(title)
10941
6922
msgid "Daemons"
10944
#: serverguide/C/network-config.xml:479(para)
10946
"Daemons are special system applications which typically execute continuously "
10947
"in the background and await requests for the functions they provide from "
10948
"other applications. Many daemons are network-centric; that is, a large "
10949
"number of daemons executing in the background on an Ubuntu system may "
10950
"provide network-related functionality. Some examples of such network daemons "
10951
"include the <emphasis>Hyper Text Transport Protocol Daemon</emphasis> "
10952
"(httpd), which provides web server functionality; the <emphasis>Secure SHell "
10953
"Daemon</emphasis> (sshd), which provides secure remote login shell and file "
10954
"transfer capabilities; and the <emphasis>Internet Message Access Protocol "
10955
"Daemon</emphasis> (imapd), which provides E-Mail services."
10958
#: serverguide/C/network-config.xml:494(para)
10960
"There are man pages for <ulink "
10961
"url=\"http://manpages.ubuntu.com/manpages/jaunty/en/man7/tcp.7.html\">TCP</ul"
10963
"url=\"http://manpages.ubuntu.com/manpages/jaunty/man7/ip.7.html\">IP</ulink> "
10964
"that contain more useful information."
10967
#: serverguide/C/network-config.xml:500(para)
10969
"Also, see the <ulink "
10970
"url=\"http://www.redbooks.ibm.com/abstracts/gg243376.html\">TCP/IP Tutorial "
10971
"and Technical Overview</ulink> IBM Redbook."
10974
#: serverguide/C/network-config.xml:506(para)
10976
"Another resource is O'Reilly's <ulink "
10977
"url=\"http://oreilly.com/catalog/9780596002978/\">TCP/IP Network "
10978
"Administration</ulink>."
10981
#: serverguide/C/network-config.xml:515(title)
6925
#: serverguide/C/network-config.xml:480(para)
6926
msgid "Daemons are special system applications which typically execute continuously in the background and await requests for the functions they provide from other applications. Many daemons are network-centric; that is, a large number of daemons executing in the background on an Ubuntu system may provide network-related functionality. Some examples of such network daemons include the <emphasis>Hyper Text Transport Protocol Daemon</emphasis> (httpd), which provides web server functionality; the <emphasis>Secure SHell Daemon</emphasis> (sshd), which provides secure remote login shell and file transfer capabilities; and the <emphasis>Internet Message Access Protocol Daemon</emphasis> (imapd), which provides E-Mail services."
6929
#: serverguide/C/network-config.xml:495(para)
6930
msgid "There are man pages for <ulink url=\"http://manpages.ubuntu.com/manpages/jaunty/en/man7/tcp.7.html\">TCP</ulink> and <ulink url=\"http://manpages.ubuntu.com/manpages/jaunty/man7/ip.7.html\">IP</ulink> that contain more useful information."
6933
#: serverguide/C/network-config.xml:501(para)
6934
msgid "Also, see the <ulink url=\"http://www.redbooks.ibm.com/abstracts/gg243376.html\">TCP/IP Tutorial and Technical Overview</ulink> IBM Redbook."
6937
#: serverguide/C/network-config.xml:507(para)
6938
msgid "Another resource is O'Reilly's <ulink url=\"http://oreilly.com/catalog/9780596002978/\">TCP/IP Network Administration</ulink>."
6941
#: serverguide/C/network-config.xml:516(title)
10982
6942
msgid "Dynamic Host Configuration Protocol (DHCP)"
10985
#: serverguide/C/network-config.xml:516(para)
10987
"The Dynamic Host Configuration Protocol (DHCP) is a network service that "
10988
"enables host computers to be automatically assigned settings from a server "
10989
"as opposed to manually configuring each network host. Computers configured "
10990
"to be DHCP clients have no control over the settings they receive from the "
10991
"DHCP server, and the configuration is transparent to the computer's user."
10994
#: serverguide/C/network-config.xml:523(para)
10996
"The most common settings provided by a DHCP server to DHCP clients include:"
10999
#: serverguide/C/network-config.xml:528(para)
6945
#: serverguide/C/network-config.xml:517(para)
6946
msgid "The Dynamic Host Configuration Protocol (DHCP) is a network service that enables host computers to be automatically assigned settings from a server as opposed to manually configuring each network host. Computers configured to be DHCP clients have no control over the settings they receive from the DHCP server, and the configuration is transparent to the computer's user."
6949
#: serverguide/C/network-config.xml:524(para)
6950
msgid "The most common settings provided by a DHCP server to DHCP clients include:"
6953
#: serverguide/C/network-config.xml:529(para)
11000
6954
msgid "IP-Address and Netmask"
11003
#: serverguide/C/network-config.xml:531(para)
6957
#: serverguide/C/network-config.xml:532(para)
11007
#: serverguide/C/network-config.xml:534(para)
6961
#: serverguide/C/network-config.xml:535(para)
11011
#: serverguide/C/network-config.xml:537(para)
11013
"However, a DHCP server can also supply configuration properties such as:"
6965
#: serverguide/C/network-config.xml:538(para)
6966
msgid "However, a DHCP server can also supply configuration properties such as:"
11016
#: serverguide/C/network-config.xml:542(para)
6969
#: serverguide/C/network-config.xml:543(para)
11017
6970
msgid "Host Name"
11020
#: serverguide/C/network-config.xml:545(para)
6973
#: serverguide/C/network-config.xml:546(para)
11021
6974
msgid "Domain Name"
11024
#: serverguide/C/network-config.xml:548(para)
6977
#: serverguide/C/network-config.xml:549(para)
11025
6978
msgid "Default Gateway"
11028
#: serverguide/C/network-config.xml:551(para)
6981
#: serverguide/C/network-config.xml:552(para)
11029
6982
msgid "Time Server"
11032
#: serverguide/C/network-config.xml:554(para)
6985
#: serverguide/C/network-config.xml:555(para)
11033
6986
msgid "Print Server"
11036
#: serverguide/C/network-config.xml:557(para)
11038
"The advantage of using DHCP is that changes to the network, for example a "
11039
"change in the address of the DNS server, need only be changed at the DHCP "
11040
"server, and all network hosts will be reconfigured the next time their DHCP "
11041
"clients poll the DHCP server. As an added advantage, it is also easier to "
11042
"integrate new computers into the network, as there is no need to check for "
11043
"the availability of an IP address. Conflicts in IP address allocation are "
6989
#: serverguide/C/network-config.xml:558(para)
6990
msgid "The advantage of using DHCP is that changes to the network, for example a change in the address of the DNS server, need only be changed at the DHCP server, and all network hosts will be reconfigured the next time their DHCP clients poll the DHCP server. As an added advantage, it is also easier to integrate new computers into the network, as there is no need to check for the availability of an IP address. Conflicts in IP address allocation are also reduced."
11047
#: serverguide/C/network-config.xml:565(para)
6993
#: serverguide/C/network-config.xml:566(para)
11048
6994
msgid "A DHCP server can provide configuration settings using two methods:"
11051
#: serverguide/C/network-config.xml:570(term)
6997
#: serverguide/C/network-config.xml:571(term)
11052
6998
msgid "MAC Address"
11055
#: serverguide/C/network-config.xml:572(para)
11057
"This method entails using DHCP to identify the unique hardware address of "
11058
"each network card connected to the network and then continually supplying a "
11059
"constant configuration each time the DHCP client makes a request to the DHCP "
11060
"server using that network device."
7001
#: serverguide/C/network-config.xml:573(para)
7002
msgid "This method entails using DHCP to identify the unique hardware address of each network card connected to the network and then continually supplying a constant configuration each time the DHCP client makes a request to the DHCP server using that network device."
11063
#: serverguide/C/network-config.xml:581(term)
7005
#: serverguide/C/network-config.xml:582(term)
11064
7006
msgid "Address Pool"
11067
#: serverguide/C/network-config.xml:583(para)
11069
"This method entails defining a pool (sometimes also called a range or scope) "
11070
"of IP addresses from which DHCP clients are supplied their configuration "
11071
"properties dynamically and on a \"first come, first served\" basis. When a "
11072
"DHCP client is no longer on the network for a specified period, the "
11073
"configuration is expired and released back to the address pool for use by "
11074
"other DHCP Clients."
11077
#: serverguide/C/network-config.xml:594(para)
11079
"Ubuntu is shipped with both DHCP server and client. The server is "
11080
"<application>dhcpd</application> (dynamic host configuration protocol "
11081
"daemon). The client provided with Ubuntu is "
11082
"<application>dhclient</application> and should be installed on all computers "
11083
"required to be automatically configured. Both programs are easy to install "
11084
"and configure and will be automatically started at system boot."
11087
#: serverguide/C/network-config.xml:604(para)
11089
"At a terminal prompt, enter the following command to install "
11090
"<application>dhcpd</application>:"
11093
#: serverguide/C/network-config.xml:609(command)
7009
#: serverguide/C/network-config.xml:584(para)
7010
msgid "This method entails defining a pool (sometimes also called a range or scope) of IP addresses from which DHCP clients are supplied their configuration properties dynamically and on a \"first come, first served\" basis. When a DHCP client is no longer on the network for a specified period, the configuration is expired and released back to the address pool for use by other DHCP Clients."
7013
#: serverguide/C/network-config.xml:595(para)
7014
msgid "Ubuntu is shipped with both DHCP server and client. The server is <application>dhcpd</application> (dynamic host configuration protocol daemon). The client provided with Ubuntu is <application>dhclient</application> and should be installed on all computers required to be automatically configured. Both programs are easy to install and configure and will be automatically started at system boot."
7017
#: serverguide/C/network-config.xml:605(para)
7018
msgid "At a terminal prompt, enter the following command to install <application>dhcpd</application>:"
7021
#: serverguide/C/network-config.xml:610(command)
11094
7022
msgid "sudo apt-get install dhcp3-server"
11097
#: serverguide/C/network-config.xml:611(para)
11099
"You will probably need to change the default configuration by editing "
11100
"/etc/dhcp3/dhcpd.conf to suit your needs and particular configuration."
11103
#: serverguide/C/network-config.xml:615(para)
11105
"You also need to edit /etc/default/dhcp3-server to specify the interfaces "
11106
"dhcpd should listen to. By default it listens to eth0."
11109
#: serverguide/C/network-config.xml:619(para)
11111
"NOTE: dhcpd's messages are being sent to syslog. Look there for diagnostics "
11115
#: serverguide/C/network-config.xml:626(para)
11117
"The error message the installation ends with might be a little confusing, "
11118
"but the following steps will help you configure the service:"
11121
#: serverguide/C/network-config.xml:630(para)
11123
"Most commonly, what you want to do is assign an IP address randomly. This "
11124
"can be done with settings as follows:"
11127
#: serverguide/C/network-config.xml:634(programlisting)
11131
"# Sample /etc/dhcpd.conf\n"
11132
"# (add your comments here) \n"
11133
"default-lease-time 600;\n"
11134
"max-lease-time 7200;\n"
11135
"option subnet-mask 255.255.255.0;\n"
11136
"option broadcast-address 192.168.1.255;\n"
11137
"option routers 192.168.1.254;\n"
11138
"option domain-name-servers 192.168.1.1, 192.168.1.2;\n"
11139
"option domain-name \"mydomain.example\";\n"
11141
"subnet 192.168.1.0 netmask 255.255.255.0 {\n"
11142
"range 192.168.1.10 192.168.1.100;\n"
11143
"range 192.168.1.150 192.168.1.200;\n"
11147
#: serverguide/C/network-config.xml:650(para)
11149
"This will result in the DHCP server giving a client an IP address from the "
11150
"range 192.168.1.10-192.168.1.100 or 192.168.1.150-192.168.1.200. It will "
11151
"lease an IP address for 600 seconds if the client doesn't ask for a specific "
11152
"time frame. Otherwise the maximum (allowed) lease will be 7200 seconds. The "
11153
"server will also \"advise\" the client that it should use 255.255.255.0 as "
11154
"its subnet mask, 192.168.1.255 as its broadcast address, 192.168.1.254 as "
11155
"the router/gateway and 192.168.1.1 and 192.168.1.2 as its DNS servers."
11158
#: serverguide/C/network-config.xml:659(para)
11160
"If you need to specify a WINS server for your Windows clients, you will need "
11161
"to include the netbios-name-servers option, e.g."
11164
#: serverguide/C/network-config.xml:663(programlisting)
11168
"option netbios-name-servers 192.168.1.1; \n"
11171
#: serverguide/C/network-config.xml:666(para)
11173
"Dhcpd configuration settings are taken from the DHCP mini-HOWTO, which can "
11175
"url=\"http://www.tldp.org/HOWTO/DHCP/index.html\">here</ulink>."
11178
#: serverguide/C/network-config.xml:676(para)
11180
"For more <filename>/etc/dhcp3/dchpd.conf</filename> options see the <ulink "
11181
"url=\"http://manpages.ubuntu.com/manpages/jaunty/en/man5/dhcpd.conf.5.html\">"
11182
"dhcpd.conf man page</ulink>."
11185
#: serverguide/C/network-config.xml:682(para)
11187
"Also see the <ulink url=\"http://www.dhcp-handbook.com/dhcp_faq.html\">DHCP "
11191
#: serverguide/C/network-config.xml:692(title)
7025
#: serverguide/C/network-config.xml:612(para)
7026
msgid "You will probably need to change the default configuration by editing /etc/dhcp3/dhcpd.conf to suit your needs and particular configuration."
7029
#: serverguide/C/network-config.xml:616(para)
7030
msgid "You also need to edit /etc/default/dhcp3-server to specify the interfaces dhcpd should listen to. By default it listens to eth0."
7033
#: serverguide/C/network-config.xml:620(para)
7034
msgid "NOTE: dhcpd's messages are being sent to syslog. Look there for diagnostics messages."
7037
#: serverguide/C/network-config.xml:627(para)
7038
msgid "The error message the installation ends with might be a little confusing, but the following steps will help you configure the service:"
7041
#: serverguide/C/network-config.xml:631(para)
7042
msgid "Most commonly, what you want to do is assign an IP address randomly. This can be done with settings as follows:"
7045
#: serverguide/C/network-config.xml:635(programlisting)
7047
msgid "\n# Sample /etc/dhcpd.conf\n# (add your comments here) \ndefault-lease-time 600;\nmax-lease-time 7200;\noption subnet-mask 255.255.255.0;\noption broadcast-address 192.168.1.255;\noption routers 192.168.1.254;\noption domain-name-servers 192.168.1.1, 192.168.1.2;\noption domain-name \"mydomain.example\";\n\nsubnet 192.168.1.0 netmask 255.255.255.0 {\nrange 192.168.1.10 192.168.1.100;\nrange 192.168.1.150 192.168.1.200;\n} \n"
7050
#: serverguide/C/network-config.xml:651(para)
7051
msgid "This will result in the DHCP server giving a client an IP address from the range 192.168.1.10-192.168.1.100 or 192.168.1.150-192.168.1.200. It will lease an IP address for 600 seconds if the client doesn't ask for a specific time frame. Otherwise the maximum (allowed) lease will be 7200 seconds. The server will also \"advise\" the client that it should use 255.255.255.0 as its subnet mask, 192.168.1.255 as its broadcast address, 192.168.1.254 as the router/gateway and 192.168.1.1 and 192.168.1.2 as its DNS servers."
7054
#: serverguide/C/network-config.xml:660(para)
7055
msgid "If you need to specify a WINS server for your Windows clients, you will need to include the netbios-name-servers option, e.g."
7058
#: serverguide/C/network-config.xml:664(programlisting)
7060
msgid "\noption netbios-name-servers 192.168.1.1; \n"
7063
#: serverguide/C/network-config.xml:667(para)
7064
msgid "Dhcpd configuration settings are taken from the DHCP mini-HOWTO, which can be found <ulink url=\"http://www.tldp.org/HOWTO/DHCP/index.html\">here</ulink>."
7067
#: serverguide/C/network-config.xml:677(para)
7068
msgid "For more <filename>/etc/dhcp3/dchpd.conf</filename> options see the <ulink url=\"http://manpages.ubuntu.com/manpages/jaunty/en/man5/dhcpd.conf.5.html\">dhcpd.conf man page</ulink>."
7071
#: serverguide/C/network-config.xml:683(para)
7072
msgid "Also see the <ulink url=\"http://www.dhcp-handbook.com/dhcp_faq.html\">DHCP FAQ</ulink>"
7075
#: serverguide/C/network-config.xml:693(title)
11192
7076
msgid "Time Synchronisation with NTP"
11195
#: serverguide/C/network-config.xml:693(para)
11197
"This page describes methods for keeping your computer's time accurate. This "
11198
"is useful for servers, but is not necessary (or desirable) for desktop "
11202
#: serverguide/C/network-config.xml:696(para)
11204
"NTP is a TCP/IP protocol for synchronising time over a network. Basically a "
11205
"client requests the current time from a server, and uses it to set its own "
11209
#: serverguide/C/network-config.xml:699(para)
11211
"Behind this simple description, there is a lot of complexity - there are "
11212
"tiers of NTP servers, with the tier one NTP servers connected to atomic "
11213
"clocks (often via GPS), and tier two and three servers spreading the load of "
11214
"actually handling requests across the Internet. Also the client software is "
11215
"a lot more complex than you might think - it has to factor out communication "
11216
"delays, and adjust the time in a way that does not upset all the other "
11217
"processes that run on the server. But luckily all that complexity is hidden "
11221
#: serverguide/C/network-config.xml:702(para)
11223
"Ubuntu has two ways of automatically setting your time: ntpdate and ntpd."
11226
#: serverguide/C/network-config.xml:707(title)
7079
#: serverguide/C/network-config.xml:694(para)
7080
msgid "This page describes methods for keeping your computer's time accurate. This is useful for servers, but is not necessary (or desirable) for desktop machines."
7083
#: serverguide/C/network-config.xml:697(para)
7084
msgid "NTP is a TCP/IP protocol for synchronising time over a network. Basically a client requests the current time from a server, and uses it to set its own clock."
7087
#: serverguide/C/network-config.xml:700(para)
7088
msgid "Behind this simple description, there is a lot of complexity - there are tiers of NTP servers, with the tier one NTP servers connected to atomic clocks (often via GPS), and tier two and three servers spreading the load of actually handling requests across the Internet. Also the client software is a lot more complex than you might think - it has to factor out communication delays, and adjust the time in a way that does not upset all the other processes that run on the server. But luckily all that complexity is hidden from you!"
7091
#: serverguide/C/network-config.xml:703(para)
7092
msgid "Ubuntu has two ways of automatically setting your time: ntpdate and ntpd."
7095
#: serverguide/C/network-config.xml:708(title)
11227
7096
msgid "ntpdate"
11230
#: serverguide/C/network-config.xml:708(para)
11232
"Ubuntu comes with ntpdate as standard, and will run it once at boot time to "
11233
"set up your time according to Ubuntu's NTP server. However, a server's clock "
11234
"is likely to drift considerably between reboots, so it makes sense to "
11235
"correct the time occasionally. The easiest way to do this is to get cron to "
11236
"run ntpdate every day. With your favorite editor, as root, create a file "
11237
"<code>/etc/cron.daily/ntpdate</code> containing:"
7099
#: serverguide/C/network-config.xml:709(para)
7100
msgid "Ubuntu comes with ntpdate as standard, and will run it once at boot time to set up your time according to Ubuntu's NTP server. However, a server's clock is likely to drift considerably between reboots, so it makes sense to correct the time occasionally. The easiest way to do this is to get cron to run ntpdate every day. With your favorite editor, as root, create a file <code>/etc/cron.daily/ntpdate</code> containing:"
11240
#: serverguide/C/network-config.xml:713(screen)
7103
#: serverguide/C/network-config.xml:714(screen)
11242
7105
msgid "ntpdate ntp.ubuntu.com\n"
11245
#: serverguide/C/network-config.xml:715(para)
11247
"The file <code>/etc/cron.daily/ntpdate</code> must also be executable."
7108
#: serverguide/C/network-config.xml:716(para)
7109
msgid "The file <code>/etc/cron.daily/ntpdate</code> must also be executable."
11250
#: serverguide/C/network-config.xml:718(screen)
7112
#: serverguide/C/network-config.xml:719(screen)
11252
7114
msgid "sudo chmod 755 /etc/cron.daily/ntpdate\n"
11255
#: serverguide/C/network-config.xml:722(title)
7117
#: serverguide/C/network-config.xml:723(title)
11259
#: serverguide/C/network-config.xml:723(para)
11261
"ntpdate is a bit of a blunt instrument - it can only adjust the time once a "
11262
"day, in one big correction. The ntp daemon ntpd is far more subtle. It "
11263
"calculates the drift of your system clock and continuously adjusts it, so "
11264
"there are no large corrections that could lead to inconsistent logs for "
11265
"instance. The cost is a little processing power and memory, but for a modern "
11266
"server this is negligible."
7121
#: serverguide/C/network-config.xml:724(para)
7122
msgid "ntpdate is a bit of a blunt instrument - it can only adjust the time once a day, in one big correction. The ntp daemon ntpd is far more subtle. It calculates the drift of your system clock and continuously adjusts it, so there are no large corrections that could lead to inconsistent logs for instance. The cost is a little processing power and memory, but for a modern server this is negligible."
11269
#: serverguide/C/network-config.xml:726(para)
7125
#: serverguide/C/network-config.xml:727(para)
11270
7126
msgid "To set up ntpd:"
11273
#: serverguide/C/network-config.xml:727(screen)
7129
#: serverguide/C/network-config.xml:728(screen)
11275
7131
msgid "sudo apt-get install ntp\n"
11278
#: serverguide/C/network-config.xml:732(title)
7134
#: serverguide/C/network-config.xml:733(title)
11279
7135
msgid "Changing Time Servers"
11282
#: serverguide/C/network-config.xml:733(para)
11284
"In both cases above, your system will use Ubuntu's NTP server at "
11285
"<code>ntp.ubuntu.com</code> by default. This is OK, but you might want to "
11286
"use several servers to increase accuracy and resilience, and you may want to "
11287
"use time servers that are geographically closer to you. to do this for "
11288
"ntpdate, change the contents of <code>/etc/cron.daily/ntpdate</code> to:"
7138
#: serverguide/C/network-config.xml:734(para)
7139
msgid "In both cases above, your system will use Ubuntu's NTP server at <code>ntp.ubuntu.com</code> by default. This is OK, but you might want to use several servers to increase accuracy and resilience, and you may want to use time servers that are geographically closer to you. to do this for ntpdate, change the contents of <code>/etc/cron.daily/ntpdate</code> to:"
11291
#: serverguide/C/network-config.xml:740(screen)
7142
#: serverguide/C/network-config.xml:741(screen)
11293
7144
msgid "ntpdate ntp.ubuntu.com pool.ntp.org \n"
11296
#: serverguide/C/network-config.xml:742(para)
11298
"And for ntpd edit <code>/etc/ntp.conf</code> to include additional server "
7147
#: serverguide/C/network-config.xml:743(para)
7148
msgid "And for ntpd edit <code>/etc/ntp.conf</code> to include additional server lines:"
11302
#: serverguide/C/network-config.xml:747(screen)
7151
#: serverguide/C/network-config.xml:748(screen)
11305
"server ntp.ubuntu.com\n"
11306
"server pool.ntp.org\n"
11309
#: serverguide/C/network-config.xml:750(para)
11311
"You may notice <code>pool.ntp.org</code> in the examples above. This is a "
11312
"really good idea which uses round-robin DNS to return an NTP server from a "
11313
"pool, spreading the load between several different servers. Even better, "
11314
"they have pools for different regions - for instance, if you are in New "
11315
"Zealand, so you could use <code>nz.pool.ntp.org</code> instead of "
11316
"<code>pool.ntp.org</code> . Look at <ulink "
11317
"url=\"http://www.pool.ntp.org/\">http://www.pool.ntp.org/</ulink> for more "
11321
#: serverguide/C/network-config.xml:761(para)
11323
"You can also Google for NTP servers in your region, and add these to your "
11324
"configuration. To test that a server works, just type <code>sudo ntpdate "
11325
"ntp.server.name</code> and see what happens."
11328
#: serverguide/C/network-config.xml:769(title)
7153
msgid "server ntp.ubuntu.com\nserver pool.ntp.org\n"
7156
#: serverguide/C/network-config.xml:751(para)
7157
msgid "You may notice <code>pool.ntp.org</code> in the examples above. This is a really good idea which uses round-robin DNS to return an NTP server from a pool, spreading the load between several different servers. Even better, they have pools for different regions - for instance, if you are in New Zealand, so you could use <code>nz.pool.ntp.org</code> instead of <code>pool.ntp.org</code> . Look at <ulink url=\"http://www.pool.ntp.org/\">http://www.pool.ntp.org/</ulink> for more details."
7160
#: serverguide/C/network-config.xml:762(para)
7161
msgid "You can also Google for NTP servers in your region, and add these to your configuration. To test that a server works, just type <code>sudo ntpdate ntp.server.name</code> and see what happens."
7164
#: serverguide/C/network-config.xml:770(title)
11329
7165
msgid "Related Pages"
11332
#: serverguide/C/network-config.xml:773(ulink)
7168
#: serverguide/C/network-config.xml:774(ulink)
11333
7169
msgid "NTP Support"
11336
#: serverguide/C/network-config.xml:778(ulink)
7172
#: serverguide/C/network-config.xml:779(ulink)
11337
7173
msgid "The NTP FAQ and HOWTO"
11396
7216
#: serverguide/C/network-auth.xml:63(para)
11398
"The installation process will prompt you for the LDAP directory admin "
11399
"password and confirmation."
7217
msgid "By default <application>slapd</application> is configured with minimal options needed to run the <application>slapd</application> daemon."
11402
7220
#: serverguide/C/network-auth.xml:68(para)
11404
"By default the directory suffix will match the domain name of the server. "
11405
"For example, if the machine's Fully Qualified Domain Name (FQDN) is "
11406
"ldap.example.com, the default suffix will be "
11407
"<emphasis>dc=example,dc=com</emphasis>. If you require a different suffix, "
11408
"the directory can be reconfigured using <application>dpkg-"
11409
"reconfigure</application>. Enter the following in a terminal prompt:"
11412
#: serverguide/C/network-auth.xml:78(command)
11413
msgid "sudo dpkg-reconfigure slapd"
11416
#: serverguide/C/network-auth.xml:81(para)
11418
"You will then be taken through a menu based configuration dialog, allowing "
11419
"you to configure various <application>slapd</application> options."
11422
#: serverguide/C/network-auth.xml:90(para)
11424
"<application>OpenLDAP</application> uses a separate database which contains "
11425
"the <emphasis>cn=config</emphasis> Directory Information Tree (DIT). The "
11426
"<emphasis>cn=config</emphasis> DIT is used to dynamically configure the "
11427
"<application>slapd</application> daemon, allowing the modification of schema "
11428
"definitions, indexes, ACLs, etc without stopping the service."
11431
#: serverguide/C/network-auth.xml:98(para)
11433
"The <emphasis>cn=config</emphasis> tree can be manipulated using the "
11434
"utilities in the <application>ldap-utils</application> package. For example:"
11437
#: serverguide/C/network-auth.xml:106(para)
11439
"Use <application>ldapsearch</application> to view the tree, entering the "
11440
"admin password set during installation or reconfiguration:"
11443
#: serverguide/C/network-auth.xml:112(command)
11445
"ldapsearch -xLLL -b cn=config -D cn=admin,cn=config -W olcDatabase={1}hdb"
11448
#: serverguide/C/network-auth.xml:116(computeroutput)
11451
"Enter LDAP Password: \n"
11452
"dn: olcDatabase={1}hdb,cn=config\n"
11453
"objectClass: olcDatabaseConfig\n"
11454
"objectClass: olcHdbConfig\n"
11455
"olcDatabase: {1}hdb\n"
11456
"olcDbDirectory: /var/lib/ldap\n"
11457
"olcSuffix: dc=example,dc=com\n"
11458
"olcAccess: {0}to attrs=userPassword,shadowLastChange by "
11459
"dn=\"cn=admin,dc=exampl\n"
11460
" e,dc=com\" write by anonymous auth by self write by * none\n"
11461
"olcAccess: {1}to dn.base=\"\" by * read\n"
11462
"olcAccess: {2}to * by dn=\"cn=admin,dc=example,dc=com\" write by * read\n"
11463
"olcLastMod: TRUE\n"
11464
"olcDbCheckpoint: 512 30\n"
11465
"olcDbConfig: {0}set_cachesize 0 2097152 0\n"
11466
"olcDbConfig: {1}set_lk_max_objects 1500\n"
11467
"olcDbConfig: {2}set_lk_max_locks 1500\n"
11468
"olcDbConfig: {3}set_lk_max_lockers 1500\n"
11469
"olcDbIndex: objectClass eq\n"
11472
#: serverguide/C/network-auth.xml:137(para)
11474
"The output above is the current configuration options for the "
11475
"<emphasis>hdb</emphasis> backend database. Which in this case containes the "
11476
"<emphasis>dc=example,dc=com</emphasis> suffix."
11479
#: serverguide/C/network-auth.xml:146(para)
11481
"Refine the search by supplying a <emphasis "
11482
"role=\"italic\">filter</emphasis>, in this case only show which attributes "
11486
#: serverguide/C/network-auth.xml:152(command)
11488
"ldapsearch -xLLL -b cn=config -D cn=admin,cn=config -W olcDatabase={1}hdb "
11492
#: serverguide/C/network-auth.xml:156(computeroutput)
11495
"Enter LDAP Password: \n"
11496
"dn: olcDatabase={1}hdb,cn=config\n"
11497
"olcDbIndex: objectClass eq\n"
11500
#: serverguide/C/network-auth.xml:165(para)
11502
"As an example of modifying the <emphasis>cn=config</emphasis> tree, add "
11503
"another attribute to the index list using "
11504
"<application>ldapmodify</application>:"
11507
#: serverguide/C/network-auth.xml:171(command) serverguide/C/network-auth.xml:722(command) serverguide/C/network-auth.xml:838(command) serverguide/C/network-auth.xml:861(command) serverguide/C/network-auth.xml:2417(command) serverguide/C/network-auth.xml:2434(command)
11508
msgid "ldapmodify -x -D cn=admin,cn=config -W"
11511
#: serverguide/C/network-auth.xml:175(userinput)
11515
"dn: olcDatabase={1}hdb,cn=config\n"
11516
"add: olcDbIndex\n"
11517
"olcDbIndex: entryUUID eq"
11520
#: serverguide/C/network-auth.xml:175(computeroutput)
11523
"Enter LDAP Password:<placeholder-1/>\n"
11525
"modifying entry \"olcDatabase={1}hdb,cn=config\"\n"
11528
#: serverguide/C/network-auth.xml:184(para)
11530
"Once the modification has completed, press <emphasis>Ctrl+D</emphasis> to "
11531
"exit the utility."
11534
#: serverguide/C/network-auth.xml:191(para)
11536
"<application>ldapmodify</application> can also read the changes from a file. "
11537
"Copy and paste the following into a file named "
11538
"<filename>uid_index.ldif</filename>:"
11541
#: serverguide/C/network-auth.xml:196(programlisting)
11545
"dn: olcDatabase={1}hdb,cn=config\n"
11546
"add: olcDbIndex\n"
11547
"olcDbIndex: uid eq,pres,sub\n"
11550
#: serverguide/C/network-auth.xml:202(para)
7221
msgid "The configuration example in the following sections will match the domain name of the server. For example, if the machine's Fully Qualified Domain Name (FQDN) is ldap.example.com, the default suffix will be <emphasis>dc=example,dc=com</emphasis>."
7224
#: serverguide/C/network-auth.xml:76(title)
7225
msgid "Populating LDAP"
7228
#: serverguide/C/network-auth.xml:78(para)
7229
msgid "<application>OpenLDAP</application> uses a separate directory which contains the <emphasis>cn=config</emphasis> Directory Information Tree (DIT). The <emphasis>cn=config</emphasis> DIT is used to dynamically configure the <application>slapd</application> daemon, allowing the modification of schema definitions, indexes, ACLs, etc without stopping the service."
7232
#: serverguide/C/network-auth.xml:86(para)
7233
msgid "The backend <emphasis>cn=config</emphasis> directory has only a minimal configuration and will need additional options in order to populate the frontend directory. The frontend will be populated with a \"classical\" scheme that will be compatible with address book applications and with Unix Posix accounts. Posix accounts will allow authentication to various applications, such as web applications, email Mail Transfer Agent (MTA) applications, etc."
7236
#: serverguide/C/network-auth.xml:95(para)
7237
msgid "For external applications to authenticate using LDAP they will each need to be specifically configured to do so. Refer to the individual application documentation for details."
7240
#: serverguide/C/network-auth.xml:103(para)
7241
msgid "Remember to change <emphasis>dc=example,dc=com</emphasis> in the following examples to match your LDAP configuration."
7244
#: serverguide/C/network-auth.xml:108(para)
7245
msgid "First, some additional schema files need to be loaded. In a terminal enter:"
7248
#: serverguide/C/network-auth.xml:113(command) serverguide/C/network-auth.xml:638(command)
7249
msgid "sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/cosine.ldif"
7252
#: serverguide/C/network-auth.xml:114(command) serverguide/C/network-auth.xml:639(command)
7253
msgid "sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/nis.ldif"
7256
#: serverguide/C/network-auth.xml:115(command) serverguide/C/network-auth.xml:640(command)
7257
msgid "sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/inetorgperson.ldif"
7260
#: serverguide/C/network-auth.xml:118(para)
7261
msgid "Next, copy the following example LDIF file, naming it <filename>backend.example.com.ldif</filename>, somewhere on your system:"
7264
#: serverguide/C/network-auth.xml:123(programlisting)
7266
msgid "\n# Load dynamic backend modules\ndn: cn=module,cn=config\nobjectClass: olcModuleList\ncn: module\nolcModulepath: /usr/lib/ldap\nolcModuleload: back_hdb\n\n# Database settings\ndn: olcDatabase=hdb,cn=config\nobjectClass: olcDatabaseConfig\nobjectClass: olcHdbConfig\nolcDatabase: {1}hdb\nolcSuffix: dc=example,dc=com\nolcDbDirectory: /var/lib/ldap\nolcRootDN: cn=admin,dc=example,dc=com\nolcRootPW: secret\nolcDbConfig: set_cachesize 0 2097152 0\nolcDbConfig: set_lk_max_objects 1500\nolcDbConfig: set_lk_max_locks 1500\nolcDbConfig: set_lk_max_lockers 1500\nolcDbIndex: objectClass eq\nolcLastMod: TRUE\nolcDbCheckpoint: 512 30\nolcAccess: to attrs=userPassword,shadowLastChange by dn=\"cn=admin,dc=example,dc=com\" write by anonymous auth by self write by * none\nolcAccess: to dn.base=\"\" by * read\nolcAccess: to * by dn=\"cn=admin,dc=example,dc=com\" write by * read\n\n"
7269
#: serverguide/C/network-auth.xml:154(para)
7270
msgid "Change <emphasis>olcRootPW: secret</emphasis> to a password of your choosing."
7273
#: serverguide/C/network-auth.xml:159(para)
7274
msgid "Now add the LDIF to the directory:"
7277
#: serverguide/C/network-auth.xml:164(command)
7278
msgid "sudo ldapadd -Y EXTERNAL -H ldapi:/// -f backend.example.com.ldif"
7281
#: serverguide/C/network-auth.xml:167(para)
7282
msgid "The frontend directory is now ready to be populated. Create a <filename>frontend.example.com.ldif</filename> with the following contents:"
7285
#: serverguide/C/network-auth.xml:172(programlisting)
7287
msgid "\n# Create top-level object in domain\ndn: dc=example,dc=com\nobjectClass: top\nobjectClass: dcObject\nobjectclass: organization\no: Example Organization\ndc: Example\ndescription: LDAP Example \n\n# Admin user.\ndn: cn=admin,dc=example,dc=com\nobjectClass: simpleSecurityObject\nobjectClass: organizationalRole\ncn: admin\ndescription: LDAP administrator\nuserPassword: secret\n\ndn: ou=people,dc=example,dc=com\nobjectClass: organizationalUnit\nou: people\n\ndn: ou=groups,dc=example,dc=com\nobjectClass: organizationalUnit\nou: groups\n\ndn: uid=john,ou=people,dc=example,dc=com\nobjectClass: inetOrgPerson\nobjectClass: posixAccount\nobjectClass: shadowAccount\nuid: john\nsn: Doe\ngivenName: John\ncn: John Doe\ndisplayName: John Doe\nuidNumber: 1000\ngidNumber: 10000\nuserPassword: password\ngecos: John Doe\nloginShell: /bin/bash\nhomeDirectory: /home/john\nshadowExpire: -1\nshadowFlag: 0\nshadowWarning: 7\nshadowMin: 8\nshadowMax: 999999\nshadowLastChange: 10877\nmail: john.doe@example.com\npostalCode: 31000\nl: Toulouse\no: Example\nmobile: +33 (0)6 xx xx xx xx\nhomePhone: +33 (0)5 xx xx xx xx\ntitle: System Administrator\npostalAddress: \ninitials: JD\n\ndn: cn=example,ou=groups,dc=example,dc=com\nobjectClass: posixGroup\ncn: example\ngidNumber: 10000\n"
7290
#: serverguide/C/network-auth.xml:235(para)
7291
msgid "In this example the directory structure, a user, and a group have been setup. In other examples you might see the <emphasis>objectClass: top</emphasis> added in every entry, but that is the default behaviour so you do not have to add it explicitly."
7294
#: serverguide/C/network-auth.xml:242(para)
7295
msgid "Add the entries to the LDAP directory:"
7298
#: serverguide/C/network-auth.xml:248(command)
7299
msgid "sudo ldapadd -x -D cn=admin,dc=example,dc=com -W -f frontend.example.com.ldif"
7302
#: serverguide/C/network-auth.xml:251(para)
7303
msgid "We can check that the content has been correctly added with the <application>ldapsearch</application> utility. Execute a search of the LDAP directory:"
7306
#: serverguide/C/network-auth.xml:257(command)
7307
msgid "ldapsearch -xLLL -b \"dc=example,dc=com\" uid=john sn givenName cn"
7310
#: serverguide/C/network-auth.xml:258(computeroutput)
7312
msgid "\ndn: uid=john,ou=people,dc=example,dc=com\ncn: John Doe\nsn: Doe\ngivenName: John\n"
7315
#: serverguide/C/network-auth.xml:266(para)
7316
msgid "Just a quick explanation:"
7319
#: serverguide/C/network-auth.xml:272(para)
7320
msgid "<emphasis>-x:</emphasis> will not use SASL authentication method, which is the default."
7323
#: serverguide/C/network-auth.xml:278(para)
7324
msgid "<emphasis>-LLL:</emphasis> disable printing LDIF schema information."
7327
#: serverguide/C/network-auth.xml:286(title)
7328
msgid "Further Configuration"
7331
#: serverguide/C/network-auth.xml:289(para)
7332
msgid "The <emphasis>cn=config</emphasis> tree can be manipulated using the utilities in the <application>ldap-utils</application> package. For example:"
7335
#: serverguide/C/network-auth.xml:297(para)
7336
msgid "Use <application>ldapsearch</application> to view the tree, entering the admin password set during installation or reconfiguration:"
7339
#: serverguide/C/network-auth.xml:303(command)
7340
msgid "sudo ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b cn=config dn"
7343
#: serverguide/C/network-auth.xml:307(computeroutput)
7345
msgid "\nSASL/EXTERNAL authentication started\nSASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth\nSASL SSF: 0\ndn: cn=config\n\ndn: cn=module{0},cn=config\n\ndn: cn=schema,cn=config\n\ndn: cn={0}core,cn=schema,cn=config\n\ndn: cn={1}cosine,cn=schema,cn=config\n\ndn: cn={2}nis,cn=schema,cn=config\n\ndn: cn={3}inetorgperson,cn=schema,cn=config\n\ndn: olcDatabase={-1}frontend,cn=config\n\ndn: olcDatabase={0}config,cn=config\n\ndn: olcDatabase={1}hdb,cn=config\n"
7348
#: serverguide/C/network-auth.xml:333(para)
7349
msgid "The output above is the current configuration options for the <emphasis>cn=config</emphasis> backend database. Your output may be vary."
7352
#: serverguide/C/network-auth.xml:341(para)
7353
msgid "As an example of modifying the <emphasis>cn=config</emphasis> tree, add another attribute to the index list using <application>ldapmodify</application>:"
7356
#: serverguide/C/network-auth.xml:347(command) serverguide/C/network-auth.xml:696(command)
7357
msgid "sudo ldapmodify -Y EXTERNAL -H ldapi:///"
7360
#: serverguide/C/network-auth.xml:355(userinput)
7362
msgid "dn: olcDatabase={1}hdb,cn=config\nadd: olcDbIndex\nolcDbIndex: entryUUID eq"
7365
#: serverguide/C/network-auth.xml:351(computeroutput) serverguide/C/network-auth.xml:700(computeroutput)
7367
msgid "\nSASL/EXTERNAL authentication started\nSASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth\nSASL SSF: 0\n<placeholder-1/>\n\nmodifying entry \"olcDatabase={1}hdb,cn=config\"\n"
7370
#: serverguide/C/network-auth.xml:363(para)
7371
msgid "Once the modification has completed, press <emphasis>Ctrl+D</emphasis> to exit the utility."
7374
#: serverguide/C/network-auth.xml:370(para)
7375
msgid "<application>ldapmodify</application> can also read the changes from a file. Copy and paste the following into a file named <filename>uid_index.ldif</filename>:"
7378
#: serverguide/C/network-auth.xml:375(programlisting)
7380
msgid "\ndn: olcDatabase={1}hdb,cn=config\nadd: olcDbIndex\nolcDbIndex: uid eq,pres,sub\n"
7383
#: serverguide/C/network-auth.xml:381(para)
11551
7384
msgid "Then execute <application>ldapmodify</application>:"
11554
#: serverguide/C/network-auth.xml:207(command)
11555
msgid "ldapmodify -x -D cn=admin,cn=config -W -f uid_index.ldif"
7387
#: serverguide/C/network-auth.xml:386(command)
7388
msgid "sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f uid_index.ldif"
11558
#: serverguide/C/network-auth.xml:211(computeroutput)
7391
#: serverguide/C/network-auth.xml:390(computeroutput)
11561
"Enter LDAP Password: \n"
11562
"modifying entry \"olcDatabase={1}hdb,cn=config\"\n"
7393
msgid "\nSASL/EXTERNAL authentication started\nSASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth\nSASL SSF: 0\nmodifying entry \"olcDatabase={1}hdb,cn=config\"\n"
11565
#: serverguide/C/network-auth.xml:216(para)
7396
#: serverguide/C/network-auth.xml:398(para)
11566
7397
msgid "The file method is very useful for large changes."
11569
#: serverguide/C/network-auth.xml:223(para)
11571
"Adding additional <emphasis>schemas</emphasis> to "
11572
"<application>slapd</application> requires the schema to be converted to LDIF "
11573
"format. Fortunately, the <application>slapd</application> program can be "
11574
"used to automate the conversion. The following example will add the "
11575
"<emphasis>misc.schema</emphasis>:"
11578
#: serverguide/C/network-auth.xml:231(para)
11580
"First, create a conversion <filename>schema_convert.conf</filename> file "
11581
"containing the following lines:"
11584
#: serverguide/C/network-auth.xml:236(programlisting)
7400
#: serverguide/C/network-auth.xml:405(para)
7401
msgid "Adding additional <emphasis>schemas</emphasis> to <application>slapd</application> requires the schema to be converted to LDIF format. The <filename role=\"directory\">/etc/ldap/schema</filename> directory contains some schema files already converted to LDIF format as demonstrated in the previous section. Fortunately, the <application>slapd</application> program can be used to automate the conversion. The following example will add the <emphasis>dyngoup.schema</emphasis>:"
7404
#: serverguide/C/network-auth.xml:415(para)
7405
msgid "First, create a conversion <filename>schema_convert.conf</filename> file containing the following lines:"
7408
#: serverguide/C/network-auth.xml:420(programlisting)
11588
"include /etc/ldap/schema/core.schema\n"
11589
"include /etc/ldap/schema/collective.schema\n"
11590
"include /etc/ldap/schema/corba.schema\n"
11591
"include /etc/ldap/schema/cosine.schema\n"
11592
"include /etc/ldap/schema/duaconf.schema\n"
11593
"include /etc/ldap/schema/dyngroup.schema\n"
11594
"include /etc/ldap/schema/inetorgperson.schema\n"
11595
"include /etc/ldap/schema/java.schema\n"
11596
"include /etc/ldap/schema/misc.schema\n"
11597
"include /etc/ldap/schema/nis.schema\n"
11598
"include /etc/ldap/schema/openldap.schema\n"
11599
"include /etc/ldap/schema/ppolicy.schema\n"
7410
msgid "\ninclude /etc/ldap/schema/core.schema\ninclude /etc/ldap/schema/collective.schema\ninclude /etc/ldap/schema/corba.schema\ninclude /etc/ldap/schema/cosine.schema\ninclude /etc/ldap/schema/duaconf.schema\ninclude /etc/ldap/schema/dyngroup.schema\ninclude /etc/ldap/schema/inetorgperson.schema\ninclude /etc/ldap/schema/java.schema\ninclude /etc/ldap/schema/misc.schema\ninclude /etc/ldap/schema/nis.schema\ninclude /etc/ldap/schema/openldap.schema\ninclude /etc/ldap/schema/ppolicy.schema\n"
11602
#: serverguide/C/network-auth.xml:254(para) serverguide/C/network-auth.xml:1318(para)
7413
#: serverguide/C/network-auth.xml:438(para) serverguide/C/network-auth.xml:1448(para)
11603
7414
msgid "Next, create a temporary directory to hold the output:"
11606
#: serverguide/C/network-auth.xml:259(command) serverguide/C/network-auth.xml:1323(command) serverguide/C/network-auth.xml:2347(command)
7417
#: serverguide/C/network-auth.xml:443(command) serverguide/C/network-auth.xml:1453(command) serverguide/C/network-auth.xml:2477(command)
11607
7418
msgid "mkdir /tmp/ldif_output"
11610
#: serverguide/C/network-auth.xml:265(para)
11612
"Now using <application>slapcat</application> convert the schema files to "
11616
#: serverguide/C/network-auth.xml:270(command)
11618
"slapcat -f schema_convert.conf -F /tmp/ldif_output -n0 -s "
11619
"\"cn={8}misc,cn=schema,cn=config\" > /tmp/cn=misc.ldif"
11622
#: serverguide/C/network-auth.xml:273(para)
11624
"Adjust the configuration file name and temporary directory names if yours "
11625
"are different. Also, it may be worthwhile to keep the "
11626
"<filename>ldif_output</filename> directory around in case you want to add "
11627
"additional schemas in the future."
11630
#: serverguide/C/network-auth.xml:282(para)
11632
"Edit the <filename>/tmp/cn\\=misc.ldif</filename> file, changing the "
11633
"following attributes:"
11636
#: serverguide/C/network-auth.xml:286(programlisting)
7421
#: serverguide/C/network-auth.xml:449(para)
7422
msgid "Now using <application>slapcat</application> convert the schema files to LDIF:"
7425
#: serverguide/C/network-auth.xml:454(command)
7426
msgid "slapcat -f schema_convert.conf -F /tmp/ldif_output -n0 -s \"cn={5}dyngroup,cn=schema,cn=config\" > /tmp/cn=dyngroup.ldif"
7429
#: serverguide/C/network-auth.xml:457(para)
7430
msgid "Adjust the configuration file name and temporary directory names if yours are different. Also, it may be worthwhile to keep the <filename>ldif_output</filename> directory around in case you want to add additional schemas in the future."
7433
#: serverguide/C/network-auth.xml:466(para)
7434
msgid "Edit the <filename>/tmp/cn\\=dyngroup.ldif</filename> file, changing the following attributes:"
7437
#: serverguide/C/network-auth.xml:470(programlisting)
11640
"dn: cn=misc,cn=schema,cn=config\n"
7439
msgid "\ndn: cn=dyngroup,cn=schema,cn=config\n...\ncn: dyngroup\n"
11645
#: serverguide/C/network-auth.xml:292(para) serverguide/C/network-auth.xml:1354(para)
7442
#: serverguide/C/network-auth.xml:476(para) serverguide/C/network-auth.xml:1484(para)
11646
7443
msgid "And remove the following lines from the bottom of the file:"
11649
#: serverguide/C/network-auth.xml:296(programlisting)
11653
"structuralObjectClass: olcSchemaConfig\n"
11654
"entryUUID: 10dae0ea-0760-102d-80d3-f9366b7f7757\n"
11655
"creatorsName: cn=config\n"
11656
"createTimestamp: 20080826021140Z\n"
11657
"entryCSN: 20080826021140.791425Z#000000#000#000000\n"
11658
"modifiersName: cn=config\n"
11659
"modifyTimestamp: 20080826021140Z\n"
11662
#: serverguide/C/network-auth.xml:307(para) serverguide/C/network-auth.xml:1369(para) serverguide/C/network-auth.xml:2393(para)
11664
"The attribute values will vary, just be sure the attributes are removed."
11667
#: serverguide/C/network-auth.xml:315(para) serverguide/C/network-auth.xml:1377(para)
11669
"Finally, using the <application>ldapadd</application> utility, add the new "
11670
"schema to the directory:"
11673
#: serverguide/C/network-auth.xml:321(command)
11674
msgid "ldapadd -x -D cn=admin,cn=config -W -f /tmp/cn\\=misc.ldif"
11677
#: serverguide/C/network-auth.xml:327(para)
11679
"There should now be a <emphasis>dn: "
11680
"cn={4}misc,cn=schema,cn=config</emphasis> entry in the cn=config tree."
11683
#: serverguide/C/network-auth.xml:336(title)
11684
msgid "Populating LDAP"
11687
#: serverguide/C/network-auth.xml:338(para)
11689
"The directory has been created during installation and reconfiguration, and "
11690
"now it is time to populate it. It will be populated with a \"classical\" "
11691
"scheme that will be compatible with address book applications and with Unix "
11692
"Posix accounts. Posix accounts will allow authentication to various "
11693
"applications, such as web applications, email Mail Transfer Agent (MTA) "
11694
"applications, etc."
11697
#: serverguide/C/network-auth.xml:347(para)
11699
"For external applications to authenticate using LDAP they will each need to "
11700
"be specifically configured to do so. Refer to the individual application "
11701
"documentation for details."
11704
#: serverguide/C/network-auth.xml:354(para)
11706
"LDAP directories can be populated with LDIF (LDAP Directory Interchange "
11707
"Format) files. Copy the following example LDIF file, naming it "
11708
"<filename>example.com.ldif</filename>, somewhere on your system:"
11711
#: serverguide/C/network-auth.xml:360(programlisting)
11715
"dn: ou=people,dc=example,dc=com\n"
11716
"objectClass: organizationalUnit\n"
11719
"dn: ou=groups,dc=example,dc=com\n"
11720
"objectClass: organizationalUnit\n"
11723
"dn: uid=john,ou=people,dc=example,dc=com\n"
11724
"objectClass: inetOrgPerson\n"
11725
"objectClass: posixAccount\n"
11726
"objectClass: shadowAccount\n"
11729
"givenName: John\n"
11731
"displayName: John Doe\n"
11732
"uidNumber: 1000\n"
11733
"gidNumber: 10000\n"
11734
"userPassword: password\n"
11735
"gecos: John Doe\n"
11736
"loginShell: /bin/bash\n"
11737
"homeDirectory: /home/john\n"
11738
"shadowExpire: -1\n"
11740
"shadowWarning: 7\n"
11742
"shadowMax: 999999\n"
11743
"shadowLastChange: 10877\n"
11744
"mail: john.doe@example.com\n"
11745
"postalCode: 31000\n"
11748
"mobile: +33 (0)6 xx xx xx xx\n"
11749
"homePhone: +33 (0)5 xx xx xx xx\n"
11750
"title: System Administrator\n"
11751
"postalAddress: \n"
11754
"dn: cn=example,ou=groups,dc=example,dc=com\n"
11755
"objectClass: posixGroup\n"
11757
"gidNumber: 10000\n"
11760
#: serverguide/C/network-auth.xml:406(para)
11762
"In this example the directory structure, a user, and a group have been "
11763
"setup. In other examples you might see the <emphasis>objectClass: "
11764
"top</emphasis> added in every entry, but that is the default behaviour so "
11765
"you do not have to add it explicitly."
11768
#: serverguide/C/network-auth.xml:413(para)
11770
"To add the entries to the LDAP directory use the "
11771
"<application>ldapadd</application> utility:"
11774
#: serverguide/C/network-auth.xml:419(command)
11775
msgid "ldapadd -x -D cn=admin,dc=example,dc=com -W -f example.com.ldif"
11778
#: serverguide/C/network-auth.xml:422(para)
11780
"We can check that the content has been correctly added with the tools from "
11781
"the <application>ldap-utils</application> package. In order to execute a "
11782
"search of the LDAP directory:"
11785
#: serverguide/C/network-auth.xml:429(command)
11786
msgid "ldapsearch -xLLL -b \"dc=example,dc=com\" uid=john sn givenName cn"
11789
#: serverguide/C/network-auth.xml:430(computeroutput)
11793
"dn: uid=john,ou=people,dc=example,dc=com\n"
11796
"givenName: John\n"
11799
#: serverguide/C/network-auth.xml:438(para)
11800
msgid "Just a quick explanation:"
11803
#: serverguide/C/network-auth.xml:444(para)
11805
"<emphasis>-x:</emphasis> will not use SASL authentication method, which is "
11809
#: serverguide/C/network-auth.xml:450(para)
11810
msgid "<emphasis>-LLL:</emphasis> disable printing LDIF schema information."
11813
#: serverguide/C/network-auth.xml:459(title)
7446
#: serverguide/C/network-auth.xml:480(programlisting)
7448
msgid "\nstructuralObjectClass: olcSchemaConfig\nentryUUID: 10dae0ea-0760-102d-80d3-f9366b7f7757\ncreatorsName: cn=config\ncreateTimestamp: 20080826021140Z\nentryCSN: 20080826021140.791425Z#000000#000#000000\nmodifiersName: cn=config\nmodifyTimestamp: 20080826021140Z\n"
7451
#: serverguide/C/network-auth.xml:491(para) serverguide/C/network-auth.xml:1499(para) serverguide/C/network-auth.xml:2523(para)
7452
msgid "The attribute values will vary, just be sure the attributes are removed."
7455
#: serverguide/C/network-auth.xml:499(para) serverguide/C/network-auth.xml:1507(para)
7456
msgid "Finally, using the <application>ldapadd</application> utility, add the new schema to the directory:"
7459
#: serverguide/C/network-auth.xml:505(command)
7460
msgid "sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /tmp/cn\\=dyngroup.ldif"
7463
#: serverguide/C/network-auth.xml:511(para)
7464
msgid "There should now be a <emphasis>dn: cn={4}dyngroup,cn=schema,cn=config</emphasis> entry in the cn=config tree."
7467
#: serverguide/C/network-auth.xml:521(title)
11814
7468
msgid "LDAP replication"
11817
#: serverguide/C/network-auth.xml:461(para)
11819
"LDAP often quickly becomes a highly critical service to the network. "
11820
"Multiple systems will come to depend on LDAP for authentication, "
11821
"authorization, configuration, etc. It is a good idea to setup a redundant "
11822
"system through replication."
11825
#: serverguide/C/network-auth.xml:467(para)
11827
"Replication is achieved using the <emphasis>Syncrepl</emphasis> engine. "
11828
"Syncrepl allows the directory to be synced using either a "
11829
"<emphasis>push</emphasis> or <emphasis>pull</emphasis> based system. In a "
11830
"push based configuration a <quote>primary</quote> server will push directory "
11831
"updates to <quote>secondary</quote> servers, while a pull based approach "
11832
"allows replication servers to sync on a time based interval."
11835
#: serverguide/C/network-auth.xml:475(para)
11837
"The following is an example of a <emphasis>Multi-Master</emphasis> "
11838
"configuration. In this configuration each OpenLDAP server is configured for "
11839
"both <emphasis>push</emphasis> and <emphasis>pull</emphasis> replication."
11842
#: serverguide/C/network-auth.xml:483(para)
11844
"First, configure the server to sync the <emphasis>cn=config</emphasis> "
11845
"database. Copy the following to a file named <filename>syncrepl_cn-"
11846
"config.ldif</filename>:"
11849
#: serverguide/C/network-auth.xml:488(programlisting)
11853
"dn: cn=module{0},cn=config\n"
11854
"changetype: modify\n"
11855
"add: olcModuleLoad\n"
11856
"olcModuleLoad: syncprov\n"
11859
"changetype: modify\n"
11860
"replace: olcServerID\n"
11861
"olcServerID: 1 ldap://ldap01.example.com\n"
11862
"olcServerID: 2 ldap://ldap02.example.com\n"
11864
"dn: olcOverlay=syncprov,olcDatabase={0}config,cn=config\n"
11865
"changetype: add\n"
11866
"objectClass: olcOverlayConfig\n"
11867
"objectClass: olcSyncProvConfig\n"
11868
"olcOverlay: syncprov\n"
11870
"dn: olcDatabase={0}config,cn=config\n"
11871
"changetype: modify\n"
11872
"add: olcSyncRepl\n"
11873
"olcSyncRepl: rid=001 provider=ldap://ldap01.example.com "
11874
"binddn=\"cn=admin,cn=config\" bindmethod=simple\n"
11875
" credentials=secret searchbase=\"cn=config\" type=refreshAndPersist\n"
11876
" retry=\"5 5 300 5\" timeout=1\n"
11877
"olcSyncRepl: rid=002 provider=ldap://ldap02.example.com "
11878
"binddn=\"cn=admin,cn=config\" bindmethod=simple\n"
11879
" credentials=secret searchbase=\"cn=config\" type=refreshAndPersist\n"
11880
" retry=\"5 5 300 5\" timeout=1\n"
11882
"add: olcMirrorMode\n"
11883
"olcMirrorMode: TRUE\n"
11886
7471
#: serverguide/C/network-auth.xml:523(para)
7472
msgid "LDAP often quickly becomes a highly critical service to the network. Multiple systems will come to depend on LDAP for authentication, authorization, configuration, etc. It is a good idea to setup a redundant system through replication."
7475
#: serverguide/C/network-auth.xml:529(para)
7476
msgid "Replication is achieved using the <emphasis>Syncrepl</emphasis> engine. Syncrepl allows the directory to be synced using either a <emphasis>push</emphasis> or <emphasis>pull</emphasis> based system. In a push based configuration a <quote>primary</quote> server will push directory updates to <quote>secondary</quote> servers, while a pull based approach allows replication servers to sync on a time based interval."
7479
#: serverguide/C/network-auth.xml:537(para)
7480
msgid "The following is an example of a <emphasis>Multi-Master</emphasis> configuration. In this configuration each OpenLDAP server is configured for both <emphasis>push</emphasis> and <emphasis>pull</emphasis> replication."
7483
#: serverguide/C/network-auth.xml:545(para)
7484
msgid "First, configure the server to sync the <emphasis>cn=config</emphasis> database. Copy the following to a file named <filename>syncrepl_cn-config.ldif</filename>:"
7487
#: serverguide/C/network-auth.xml:550(programlisting)
7489
msgid "\ndn: cn=module{0},cn=config\nchangetype: modify\nadd: olcModuleLoad\nolcModuleLoad: syncprov\n\ndn: cn=config\nchangetype: modify\nreplace: olcServerID\nolcServerID: 1 ldap://ldap01.example.com\nolcServerID: 2 ldap://ldap02.example.com\n\ndn: olcOverlay=syncprov,olcDatabase={0}config,cn=config\nchangetype: add\nobjectClass: olcOverlayConfig\nobjectClass: olcSyncProvConfig\nolcOverlay: syncprov\n\ndn: olcDatabase={0}config,cn=config\nchangetype: modify\nadd: olcSyncRepl\nolcSyncRepl: rid=001 provider=ldap://ldap01.example.com binddn=\"cn=admin,cn=config\" bindmethod=simple\n credentials=secret searchbase=\"cn=config\" type=refreshAndPersist\n retry=\"5 5 300 5\" timeout=1\nolcSyncRepl: rid=002 provider=ldap://ldap02.example.com binddn=\"cn=admin,cn=config\" bindmethod=simple\n credentials=secret searchbase=\"cn=config\" type=refreshAndPersist\n retry=\"5 5 300 5\" timeout=1\n-\nadd: olcMirrorMode\nolcMirrorMode: TRUE\n-\nadd: olcRootPW\nolcRootPW: secret\n"
7492
#: serverguide/C/network-auth.xml:586(para)
7493
msgid "Change <emphasis>secret</emphasis> to an appropriate password for the admin user."
7496
#: serverguide/C/network-auth.xml:594(para)
11887
7497
msgid "Edit the file changing:"
11890
#: serverguide/C/network-auth.xml:529(para)
11892
"<emphasis>ldap://ldap01.example.com</emphasis> and "
11893
"<emphasis>ldap://ldap02.example.com</emphasis> to the hostnames of your LDAP "
11897
#: serverguide/C/network-auth.xml:534(para)
11899
"You can have more than two LDAP servers, and when a change is made to one of "
11900
"them it will by synced to the rest. Be sure to increment the "
11901
"<emphasis>olcServerID</emphasis> for each server, and the "
11902
"<emphasis>rid</emphasis> for each <emphasis>olcSyncRepl</emphasis> entry."
11905
#: serverguide/C/network-auth.xml:542(para)
11907
"And adjust <emphasis>credentials=secret</emphasis> to match your admin "
11911
#: serverguide/C/network-auth.xml:552(para)
11913
"Next, add the LDIF file using the <application>ldapmodify</application> "
11917
#: serverguide/C/network-auth.xml:557(command)
11918
msgid "ldapmodify -x -D cn=admin,cn=config -W -f syncrepl_cn-config.ldif"
11921
#: serverguide/C/network-auth.xml:563(para)
11923
"Copy the <filename>syncrepl_cn-config.ldif</filename> file to the next LDAP "
11924
"server and repeat the <application>ldapmodify</application> command above."
11927
#: serverguide/C/network-auth.xml:571(para)
11929
"Because a new module has been added, the <application>slapd</application> "
11930
"daemon, on all replicated servers, needs to be restarted:"
11933
#: serverguide/C/network-auth.xml:577(command) serverguide/C/network-auth.xml:779(command) serverguide/C/network-auth.xml:895(command)
7500
#: serverguide/C/network-auth.xml:600(para)
7501
msgid "<emphasis>ldap://ldap01.example.com</emphasis> and <emphasis>ldap://ldap02.example.com</emphasis> to the hostnames of your LDAP servers."
7504
#: serverguide/C/network-auth.xml:605(para)
7505
msgid "You can have more than two LDAP servers, and when a change is made to one of them it will by synced to the rest. Be sure to increment the <emphasis>olcServerID</emphasis> for each server, and the <emphasis>rid</emphasis> for each <emphasis>olcSyncRepl</emphasis> entry."
7508
#: serverguide/C/network-auth.xml:613(para)
7509
msgid "And adjust <emphasis>credentials=secret</emphasis> to match your admin password."
7512
#: serverguide/C/network-auth.xml:623(para)
7513
msgid "Next, add the LDIF file using the <application>ldapmodify</application> utility:"
7516
#: serverguide/C/network-auth.xml:628(command)
7517
msgid "sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f syncrepl_cn-config.ldif"
7520
#: serverguide/C/network-auth.xml:633(para)
7521
msgid "On the second LDAP server, <emphasis>ldap02.example.com</emphasis> in this case, add the additional schema files:"
7524
#: serverguide/C/network-auth.xml:643(para)
7525
msgid "Also, load the <emphasis>cn=module</emphasis> object. Create a <filename>module.ldif</filename> with the following contents:"
7528
#: serverguide/C/network-auth.xml:648(programlisting)
7530
msgid "\n# Load dynamic backend modules\ndn: cn=module,cn=config\nobjectClass: olcModuleList\ncn: module\nolcModulepath: /usr/lib/ldap\nolcModuleload: back_hdb\n"
7533
#: serverguide/C/network-auth.xml:657(para)
7534
msgid "And add the LDIF by entering:"
7537
#: serverguide/C/network-auth.xml:662(command)
7538
msgid "sudo ldapadd -Y EXTERNAL -H ldapi:/// -f module.ldif"
7541
#: serverguide/C/network-auth.xml:668(para)
7542
msgid "Now copy the <filename>syncrepl_cn-config.ldif</filename> file to the next LDAP server and add it to the directory:"
7545
#: serverguide/C/network-auth.xml:673(command)
7546
msgid "sudo ldapadd -Y EXTERNAL -H ldapi:/// -f syncrepl_cn-config.ldif"
7549
#: serverguide/C/network-auth.xml:679(para)
7550
msgid "Because a new module has been added, the <application>slapd</application> daemon, on all replicated servers, needs to be restarted:"
7553
#: serverguide/C/network-auth.xml:685(command) serverguide/C/network-auth.xml:909(command) serverguide/C/network-auth.xml:1025(command)
11934
7554
msgid "sudo /etc/init.d/slapd restart"
11937
#: serverguide/C/network-auth.xml:583(para)
11939
"Now that the configuration database is synced between servers, the "
11940
"<emphasis>backend</emphasis> database needs to be synced as well. Copy and "
11941
"paste the following into another LDIF file named "
11942
"<filename>syncrepl_backend.ldif</filename>:"
11945
#: serverguide/C/network-auth.xml:589(programlisting)
11949
"dn: olcDatabase={1}hdb,cn=config\n"
11950
"changetype: modify\n"
11952
"olcRootDN: cn=admin,dc=example,dc=com\n"
11954
"add: olcSyncRepl\n"
11955
"olcSyncRepl: rid=003 provider=ldap://ldap01.example.com "
11956
"binddn=\"cn=admin,dc=example,dc=com\" \n"
11957
" bindmethod=simple credentials=secret searchbase=\"dc=example,dc=com\" "
11958
"type=refreshOnly \n"
11959
" interval=00:00:00:10 retry=\"5 5 300 5\" timeout=1\n"
11960
"olcSyncRepl: rid=004 provider=ldap://ldap02.example.com "
11961
"binddn=\"cn=admin,dc=example,dc=com\" \n"
11962
" bindmethod=simple credentials=secret searchbase=\"dc=example,dc=com\" "
11963
"type=refreshOnly \n"
11964
" interval=00:00:00:10 retry=\"5 5 300 5\" timeout=1\n"
11966
"add: olcMirrorMode\n"
11967
"olcMirrorMode: TRUE\n"
11969
"dn: olcOverlay=syncprov,olcDatabase={1}hdb,cn=config\n"
11970
"changetype: add\n"
11971
"objectClass: olcOverlayConfig\n"
11972
"objectClass: olcSyncProvConfig\n"
11973
"olcOverlay: syncprov\n"
11976
#: serverguide/C/network-auth.xml:616(para)
7557
#: serverguide/C/network-auth.xml:691(para)
7558
msgid "To Test that the <emphasis>cn=config</emphasis> directory is being synced add another index to the frontend directory:"
7561
#: serverguide/C/network-auth.xml:704(userinput)
7563
msgid "dn: olcDatabase={1}hdb,cn=config\nadd: olcDbIndex\nolcDbIndex: cn eq,pres,sub"
7566
#: serverguide/C/network-auth.xml:716(para)
7567
msgid "Now that the configuration directory is synced between servers, the <emphasis>frontend</emphasis> database needs to be synced as well. Copy and paste the following into another LDIF file named <filename>syncrepl_frontend.ldif</filename>:"
7570
#: serverguide/C/network-auth.xml:722(programlisting)
7572
msgid "\ndn: olcDatabase={1}hdb,cn=config\nchangetype: modify\nadd: olcSyncRepl\nolcSyncRepl: rid=003 provider=ldap://ldap01.example.com binddn=\"cn=admin,dc=example,dc=com\" \n bindmethod=simple credentials=secret searchbase=\"dc=example,dc=com\" type=refreshOnly \n interval=00:00:00:10 retry=\"5 5 300 5\" timeout=1\nolcSyncRepl: rid=004 provider=ldap://ldap02.example.com binddn=\"cn=admin,dc=example,dc=com\" \n bindmethod=simple credentials=secret searchbase=\"dc=example,dc=com\" type=refreshOnly \n interval=00:00:00:10 retry=\"5 5 300 5\" timeout=1\n-\nadd: olcMirrorMode\nolcMirrorMode: TRUE\n\ndn: olcOverlay=syncprov,olcDatabase={1}hdb,cn=config\nchangetype: add\nobjectClass: olcOverlayConfig\nobjectClass: olcSyncProvConfig\nolcOverlay: syncprov\n"
7575
#: serverguide/C/network-auth.xml:746(para)
11977
7576
msgid "Like the previous LDIF file, edit this one changing:"
11980
#: serverguide/C/network-auth.xml:622(para)
11982
"<emphasis>searchbase=\"dc=example,dc=com\"</emphasis> to your directory's "
11986
#: serverguide/C/network-auth.xml:627(para)
11988
"If you use a different admin user, change "
11989
"<emphasis>binddn=\"cn=admin,dc=example,dc=com\"</emphasis>."
11992
#: serverguide/C/network-auth.xml:632(para)
11994
"Also, replace <emphasis>credentials=secret</emphasis> with your admin "
11998
#: serverguide/C/network-auth.xml:641(para)
7579
#: serverguide/C/network-auth.xml:752(para)
7580
msgid "<emphasis>searchbase=\"dc=example,dc=com\"</emphasis> to your directory's searchbase."
7583
#: serverguide/C/network-auth.xml:757(para)
7584
msgid "If you use a different admin user, change <emphasis>binddn=\"cn=admin,dc=example,dc=com\"</emphasis>."
7587
#: serverguide/C/network-auth.xml:762(para)
7588
msgid "Also, replace <emphasis>credentials=secret</emphasis> with your admin password."
7591
#: serverguide/C/network-auth.xml:771(para)
11999
7592
msgid "Add the LDIF file:"
12002
#: serverguide/C/network-auth.xml:646(command)
12003
msgid "ldapmodify -x -D cn=admin,cn=config -W -f syncrepl_backend.ldif"
12006
#: serverguide/C/network-auth.xml:649(para)
12008
"Because the servers' configuration is already synced there is no need to "
12009
"copy this LDIF file to the other servers."
12012
#: serverguide/C/network-auth.xml:657(para)
12014
"The configuration and backend databases should now sycnc to the other "
12015
"servers. You can add additional servers using the "
12016
"<application>ldapmodify</application> utility as the need arises. See <xref "
12017
"linkend=\"openldap-configuration\"/> for details."
12020
#: serverguide/C/network-auth.xml:667(programlisting)
7595
#: serverguide/C/network-auth.xml:776(command)
7596
msgid "ldapmodify -x -D cn=admin,cn=config -W -f syncrepl_frontend.ldif"
7599
#: serverguide/C/network-auth.xml:779(para)
7600
msgid "Because the servers' configuration is already synced there is no need to copy this LDIF file to the other servers."
7603
#: serverguide/C/network-auth.xml:787(para)
7604
msgid "The configuration and backend databases should now sycnc to the other servers. You can add additional servers using the <application>ldapmodify</application> utility as the need arises. See <xref linkend=\"openldap-configuration\"/> for details."
7607
#: serverguide/C/network-auth.xml:797(programlisting)
12022
7609
msgid "127.0.0.1\tldap01.example.com ldap01"
12025
#: serverguide/C/network-auth.xml:663(para)
12027
"The <application>slapd</application> daemon will send log information to "
12028
"<filename>/var/log/syslog</filename> by default. So if all does "
12029
"<emphasis>not</emphasis> go well check there for errors and other "
12030
"troubleshooting information. Also, be sure that each server knows it's Fully "
12031
"Qualified Domain Name (FQDN). This is configured in "
12032
"<filename>/etc/hosts</filename> with a line similar to: <placeholder-1/>."
7612
#: serverguide/C/network-auth.xml:793(para)
7613
msgid "The <application>slapd</application> daemon will send log information to <filename>/var/log/syslog</filename> by default. So if all does <emphasis>not</emphasis> go well check there for errors and other troubleshooting information. Also, be sure that each server knows it's Fully Qualified Domain Name (FQDN). This is configured in <filename>/etc/hosts</filename> with a line similar to: <placeholder-1/>."
12035
#: serverguide/C/network-auth.xml:674(title)
7616
#: serverguide/C/network-auth.xml:804(title)
12036
7617
msgid "Setting up ACL"
12039
#: serverguide/C/network-auth.xml:676(para)
12041
"Authentication requires access to the password field, that should be not "
12042
"accessible by default. Also, in order for users to change their own "
12043
"password, using <command>passwd</command> or other utilities, "
12044
"<emphasis>shadowLastChange</emphasis> needs to be accessible once a user has "
12048
#: serverguide/C/network-auth.xml:683(para)
12050
"To view the Access Control List (ACL), use the "
12051
"<application>ldapsearch</application> utility:"
12054
#: serverguide/C/network-auth.xml:688(command)
12056
"ldapsearch -xLLL -b cn=config -D cn=admin,cn=config -W olcDatabase=hdb "
12060
#: serverguide/C/network-auth.xml:692(computeroutput)
7620
#: serverguide/C/network-auth.xml:806(para)
7621
msgid "Authentication requires access to the password field, that should be not accessible by default. Also, in order for users to change their own password, using <command>passwd</command> or other utilities, <emphasis>shadowLastChange</emphasis> needs to be accessible once a user has authenticated."
7624
#: serverguide/C/network-auth.xml:813(para)
7625
msgid "To view the Access Control List (ACL), use the <application>ldapsearch</application> utility:"
7628
#: serverguide/C/network-auth.xml:818(command)
7629
msgid "ldapsearch -xLLL -b cn=config -D cn=admin,cn=config -W olcDatabase=hdb olcAccess"
7632
#: serverguide/C/network-auth.xml:822(computeroutput)
12063
"Enter LDAP Password: \n"
12064
"dn: olcDatabase={1}hdb,cn=config\n"
12065
"olcAccess: {0}to attrs=userPassword,shadowLastChange by "
12066
"dn=\"cn=admin,dc=exampl\n"
12067
" e,dc=com\" write by anonymous auth by self write by * none\n"
12068
"olcAccess: {1}to dn.base=\"\" by * read\n"
12069
"olcAccess: {2}to * by dn=\"cn=admin,dc=example,dc=com\" write by * read\n"
7634
msgid "Enter LDAP Password: \ndn: olcDatabase={1}hdb,cn=config\nolcAccess: {0}to attrs=userPassword,shadowLastChange by dn=\"cn=admin,dc=exampl\n e,dc=com\" write by anonymous auth by self write by * none\nolcAccess: {1}to dn.base=\"\" by * read\nolcAccess: {2}to * by dn=\"cn=admin,dc=example,dc=com\" write by * read\n"
12072
#: serverguide/C/network-auth.xml:704(title)
7637
#: serverguide/C/network-auth.xml:834(title)
12073
7638
msgid "TLS and SSL"
12076
#: serverguide/C/network-auth.xml:706(para)
12078
"When authenticating to an OpenLDAP server it is best to do so using an "
12079
"encrypted session. This can be accomplished using Transport Layer Security "
12080
"(TLS) and/or Secure Sockets Layer (SSL)."
12083
#: serverguide/C/network-auth.xml:711(para)
12085
"The first step in the process is to obtain or create a "
12086
"<emphasis>certificate</emphasis>. See <xref linkend=\"certificates-and-"
12087
"security\"/> and <xref linkend=\"certificate-authority\"/> for details."
12090
#: serverguide/C/network-auth.xml:716(para)
12092
"Once you have a certificate, key, and CA cert installed, use "
12093
"<application>ldapmodify</application> to add the new configuration options:"
12096
#: serverguide/C/network-auth.xml:727(userinput)
12100
"add: olcTLSCACertificateFile\n"
12101
"olcTLSCACertificateFile: /etc/ssl/certs/cacert.pem\n"
12103
"add: olcTLSCertificateFile\n"
12104
"olcTLSCertificateFile: /etc/ssl/certs/server.crt\n"
12106
"add: olcTLSCertificateKeyFile\n"
12107
"olcTLSCertificateKeyFile: /etc/ssl/private/server.key"
12110
#: serverguide/C/network-auth.xml:726(computeroutput)
12113
"Enter LDAP Password:\n"
12114
"<placeholder-1/>\n"
12116
"modifying entry \"cn=config\"\n"
12119
#: serverguide/C/network-auth.xml:742(para)
12121
"Adjust the <filename>server.crt</filename>, <filename>server.key</filename>, "
12122
"and <filename>cacert.pem</filename> names if yours are different. If you "
12123
"have a self-signed certificate, do <emphasis>NOT</emphasis> add the "
12124
"olcTLSCACertificateFile property, as it will cause GnuTLS to fail.."
12127
#: serverguide/C/network-auth.xml:749(para)
12129
"Next, edit <filename>/etc/default/slapd</filename> uncomment the "
12130
"<emphasis>SLAPD_SERVICES</emphasis> option:"
12133
#: serverguide/C/network-auth.xml:753(programlisting)
12137
"SLAPD_SERVICES=\"ldap:/// ldapi:/// ldaps:///\"\n"
12140
#: serverguide/C/network-auth.xml:757(para)
12142
"Now the <emphasis>openldap</emphasis> user needs access to the certificate:"
12145
#: serverguide/C/network-auth.xml:762(command)
7641
#: serverguide/C/network-auth.xml:836(para)
7642
msgid "When authenticating to an OpenLDAP server it is best to do so using an encrypted session. This can be accomplished using Transport Layer Security (TLS) and/or Secure Sockets Layer (SSL)."
7645
#: serverguide/C/network-auth.xml:841(para)
7646
msgid "The first step in the process is to obtain or create a <emphasis>certificate</emphasis>. See <xref linkend=\"certificates-and-security\"/> and <xref linkend=\"certificate-authority\"/> for details."
7649
#: serverguide/C/network-auth.xml:846(para)
7650
msgid "Once you have a certificate, key, and CA cert installed, use <application>ldapmodify</application> to add the new configuration options:"
7653
#: serverguide/C/network-auth.xml:852(command) serverguide/C/network-auth.xml:968(command) serverguide/C/network-auth.xml:991(command) serverguide/C/network-auth.xml:2547(command) serverguide/C/network-auth.xml:2564(command)
7654
msgid "ldapmodify -x -D cn=admin,cn=config -W"
7657
#: serverguide/C/network-auth.xml:857(userinput)
7659
msgid "dn: cn=config\nadd: olcTLSCACertificateFile\nolcTLSCACertificateFile: /etc/ssl/certs/cacert.pem\n-\nadd: olcTLSCertificateFile\nolcTLSCertificateFile: /etc/ssl/certs/server.crt\n-\nadd: olcTLSCertificateKeyFile\nolcTLSCertificateKeyFile: /etc/ssl/private/server.key"
7662
#: serverguide/C/network-auth.xml:856(computeroutput)
7664
msgid "Enter LDAP Password:\n<placeholder-1/>\n\nmodifying entry \"cn=config\"\n"
7667
#: serverguide/C/network-auth.xml:872(para)
7668
msgid "Adjust the <filename>server.crt</filename>, <filename>server.key</filename>, and <filename>cacert.pem</filename> names if yours are different. If you have a self-signed certificate, do <emphasis>NOT</emphasis> add the olcTLSCACertificateFile property, as it will cause GnuTLS to fail.."
7671
#: serverguide/C/network-auth.xml:879(para)
7672
msgid "Next, edit <filename>/etc/default/slapd</filename> uncomment the <emphasis>SLAPD_SERVICES</emphasis> option:"
7675
#: serverguide/C/network-auth.xml:883(programlisting)
7677
msgid "\nSLAPD_SERVICES=\"ldap:/// ldapi:/// ldaps:///\"\n"
7680
#: serverguide/C/network-auth.xml:887(para)
7681
msgid "Now the <emphasis>openldap</emphasis> user needs access to the certificate:"
7684
#: serverguide/C/network-auth.xml:892(command)
12146
7685
msgid "sudo adduser openldap ssl-cert"
12149
#: serverguide/C/network-auth.xml:763(command)
7688
#: serverguide/C/network-auth.xml:893(command)
12150
7689
msgid "sudo chgrp ssl-cert /etc/ssl/private/server.key"
12153
#: serverguide/C/network-auth.xml:764(command)
7692
#: serverguide/C/network-auth.xml:894(command)
12154
7693
msgid "sudo chmod g+r /etc/ssl/private/server.key"
12157
#: serverguide/C/network-auth.xml:768(para)
12159
"If the <filename role=\"directory\">/etc/ssl/private</filename> and "
12160
"<filename>/etc/ssl/private/server.key</filename> have different permissions, "
12161
"adjust the commands appropriately."
7696
#: serverguide/C/network-auth.xml:898(para)
7697
msgid "If the <filename role=\"directory\">/etc/ssl/private</filename> and <filename>/etc/ssl/private/server.key</filename> have different permissions, adjust the commands appropriately."
12164
#: serverguide/C/network-auth.xml:774(para)
7700
#: serverguide/C/network-auth.xml:904(para)
12165
7701
msgid "Finally, restart <application>slapd</application>:"
12168
#: serverguide/C/network-auth.xml:782(para)
12170
"The <application>slapd</application> daemon should now be listening for "
12171
"LDAPS connections and be able to use STARTTLS during authentication."
12174
#: serverguide/C/network-auth.xml:788(para)
12176
"If you run into troubles with the server not starting, check the "
12177
"/var/log/syslog. If you see errors like main: TLS init def ctx failed: -1, "
12178
"it is likely there is a configuration problem. Check that the certificate is "
12179
"signed by the authority from in the files configured, and that the ssl-cert "
12180
"group has read permissions on the private key."
12183
#: serverguide/C/network-auth.xml:800(title)
7704
#: serverguide/C/network-auth.xml:912(para)
7705
msgid "The <application>slapd</application> daemon should now be listening for LDAPS connections and be able to use STARTTLS during authentication."
7708
#: serverguide/C/network-auth.xml:918(para)
7709
msgid "If you run into troubles with the server not starting, check the /var/log/syslog. If you see errors like main: TLS init def ctx failed: -1, it is likely there is a configuration problem. Check that the certificate is signed by the authority from in the files configured, and that the ssl-cert group has read permissions on the private key."
7712
#: serverguide/C/network-auth.xml:930(title)
12184
7713
msgid "TLS Replication"
12187
#: serverguide/C/network-auth.xml:802(para)
12189
"If you have setup <application>Syncrepl</application> between servers, it is "
12190
"prudent to encrypt the replication traffic using <emphasis>Transport Layer "
12191
"Security (TLS)</emphasis>. For details on setting up replication see <xref "
12192
"linkend=\"openldap-server-replication\"/>."
12195
#: serverguide/C/network-auth.xml:808(para)
12197
"After setting up replication, and following the instructions in <xref "
12198
"linkend=\"openldap-tls\"/>, there are a couple of consequences that should "
12202
#: serverguide/C/network-auth.xml:815(para)
12204
"The configuration only needs to be modified on <emphasis>one</emphasis> "
12208
#: serverguide/C/network-auth.xml:820(para)
12210
"The path names for the <emphasis>certificate</emphasis> and "
12211
"<emphasis>key</emphasis> must be the same on all servers."
12214
#: serverguide/C/network-auth.xml:827(para)
12216
"So on each replicated server: install a certificate, edit "
12217
"<filename>/etc/default/slapd</filename>, and restart "
12218
"<application>slapd</application>."
12221
#: serverguide/C/network-auth.xml:832(para)
12223
"Once <emphasis>TLS</emphasis> has been setup on each server, modify the "
12224
"<emphasis>cn=config</emphasis> replication by entering the following in a "
12228
#: serverguide/C/network-auth.xml:843(userinput)
12231
"dn: olcDatabase={0}config,cn=config\n"
12232
"replace: olcSyncrepl\n"
12233
"olcSyncrepl: {0}rid=001 provider=ldap://ldap01.example.com "
12234
"binddn=\"cn=admin,cn\n"
12235
" =config\" bindmethod=simple credentials=secret searchbase=\"cn=config\" "
12237
" shAndPersist retry=\"5 5 300 5\" timeout=1 starttls=yes\n"
12238
"olcSyncrepl: {1}rid=002 provider=ldap://ldap02.example.com "
12239
"binddn=\"cn=admin,cn\n"
12240
" =config\" bindmethod=simple credentials=secret searchbase=\"cn=config\" "
12242
" shAndPersist retry=\"5 5 300 5\" timeout=1 starttls=yes"
12245
#: serverguide/C/network-auth.xml:842(computeroutput)
12248
"Enter LDAP Password: \n"
12249
"<placeholder-1/>\n"
12251
"modifying entry \"olcDatabase={0}config,cn=config\"\n"
12254
#: serverguide/C/network-auth.xml:856(para)
7716
#: serverguide/C/network-auth.xml:932(para)
7717
msgid "If you have setup <application>Syncrepl</application> between servers, it is prudent to encrypt the replication traffic using <emphasis>Transport Layer Security (TLS)</emphasis>. For details on setting up replication see <xref linkend=\"openldap-server-replication\"/>."
7720
#: serverguide/C/network-auth.xml:938(para)
7721
msgid "After setting up replication, and following the instructions in <xref linkend=\"openldap-tls\"/>, there are a couple of consequences that should be kept in mind:"
7724
#: serverguide/C/network-auth.xml:945(para)
7725
msgid "The configuration only needs to be modified on <emphasis>one</emphasis> server."
7728
#: serverguide/C/network-auth.xml:950(para)
7729
msgid "The path names for the <emphasis>certificate</emphasis> and <emphasis>key</emphasis> must be the same on all servers."
7732
#: serverguide/C/network-auth.xml:957(para)
7733
msgid "So on each replicated server: install a certificate, edit <filename>/etc/default/slapd</filename>, and restart <application>slapd</application>."
7736
#: serverguide/C/network-auth.xml:962(para)
7737
msgid "Once <emphasis>TLS</emphasis> has been setup on each server, modify the <emphasis>cn=config</emphasis> replication by entering the following in a terminal:"
7740
#: serverguide/C/network-auth.xml:973(userinput)
7742
msgid "dn: olcDatabase={0}config,cn=config\nreplace: olcSyncrepl\nolcSyncrepl: {0}rid=001 provider=ldap://ldap01.example.com binddn=\"cn=admin,cn\n =config\" bindmethod=simple credentials=secret searchbase=\"cn=config\" type=refre\n shAndPersist retry=\"5 5 300 5\" timeout=1 starttls=yes\nolcSyncrepl: {1}rid=002 provider=ldap://ldap02.example.com binddn=\"cn=admin,cn\n =config\" bindmethod=simple credentials=secret searchbase=\"cn=config\" type=refre\n shAndPersist retry=\"5 5 300 5\" timeout=1 starttls=yes"
7745
#: serverguide/C/network-auth.xml:972(computeroutput)
7747
msgid "Enter LDAP Password: \n<placeholder-1/>\n\nmodifying entry \"olcDatabase={0}config,cn=config\"\n"
7750
#: serverguide/C/network-auth.xml:986(para)
12255
7751
msgid "Now adjust the <emphasis>backend</emphasis> database replication:"
12258
#: serverguide/C/network-auth.xml:866(userinput)
12261
"dn: olcDatabase={1}hdb,cn=config\n"
12262
"replace: olcSyncrepl\n"
12263
"olcSyncrepl: {0}rid=003 provider=ldap://ldap01.example.com "
12264
"binddn=\"cn=admin,dc=example,dc=\n"
12265
" com\" bindmethod=simple credentials=secret searchbase=\"dc=example,dc=com\" "
12267
" efreshOnly interval=00:00:00:10 retry=\"5 5 300 5\" timeout=1 starttls=yes\n"
12268
"olcSyncrepl: {1}rid=004 provider=ldap://ldap02.example.com "
12269
"binddn=\"cn=admin,dc=example,dc=\n"
12270
" com\" bindmethod=simple credentials=secret searchbase=\"dc=example,dc=com\" "
12272
" efreshOnly interval=00:00:00:10 retry=\"5 5 300 5\" timeout=1 starttls=yes"
12275
#: serverguide/C/network-auth.xml:865(computeroutput) serverguide/C/network-auth.xml:2418(computeroutput)
12278
"Enter LDAP Password:\n"
12279
"<placeholder-1/>\n"
12281
"modifying entry \"olcDatabase={1}hdb,cn=config\""
12284
#: serverguide/C/network-auth.xml:878(para)
12286
"If the LDAP server hostname does not match the Fully Qualified Domain Name "
12287
"(FQDN) in the certificate, you may have to edit "
12288
"<filename>/etc/ldap/ldap.conf</filename> and add the following TLS options:"
12291
#: serverguide/C/network-auth.xml:883(programlisting)
12295
"TLS_CERT /etc/ssl/certs/server.crt\n"
12296
"TLS_KEY /etc/ssl/private/server.key\n"
12297
"TLS_CACERT /etc/ssl/certs/cacert.pem\n"
12300
#: serverguide/C/network-auth.xml:890(para)
12302
"Finally, restart <application>slapd</application> on each of the servers:"
12305
#: serverguide/C/network-auth.xml:903(title)
7754
#: serverguide/C/network-auth.xml:996(userinput)
7756
msgid "dn: olcDatabase={1}hdb,cn=config\nreplace: olcSyncrepl\nolcSyncrepl: {0}rid=003 provider=ldap://ldap01.example.com binddn=\"cn=admin,dc=example,dc=\n com\" bindmethod=simple credentials=secret searchbase=\"dc=example,dc=com\" type=r\n efreshOnly interval=00:00:00:10 retry=\"5 5 300 5\" timeout=1 starttls=yes\nolcSyncrepl: {1}rid=004 provider=ldap://ldap02.example.com binddn=\"cn=admin,dc=example,dc=\n com\" bindmethod=simple credentials=secret searchbase=\"dc=example,dc=com\" type=r\n efreshOnly interval=00:00:00:10 retry=\"5 5 300 5\" timeout=1 starttls=yes"
7759
#: serverguide/C/network-auth.xml:995(computeroutput) serverguide/C/network-auth.xml:2548(computeroutput)
7761
msgid "Enter LDAP Password:\n<placeholder-1/>\n\nmodifying entry \"olcDatabase={1}hdb,cn=config\""
7764
#: serverguide/C/network-auth.xml:1008(para)
7765
msgid "If the LDAP server hostname does not match the Fully Qualified Domain Name (FQDN) in the certificate, you may have to edit <filename>/etc/ldap/ldap.conf</filename> and add the following TLS options:"
7768
#: serverguide/C/network-auth.xml:1013(programlisting)
7770
msgid "\nTLS_CERT /etc/ssl/certs/server.crt\nTLS_KEY /etc/ssl/private/server.key\nTLS_CACERT /etc/ssl/certs/cacert.pem\n"
7773
#: serverguide/C/network-auth.xml:1020(para)
7774
msgid "Finally, restart <application>slapd</application> on each of the servers:"
7777
#: serverguide/C/network-auth.xml:1033(title)
12306
7778
msgid "LDAP Authentication"
12309
#: serverguide/C/network-auth.xml:905(para)
12311
"Once you have a working LDAP server, the <application>auth-client-"
12312
"config</application> and <application>libnss-ldap</application> packages "
12313
"take the pain out of configuring an Ubuntu client to authenticate using "
12314
"LDAP. To install the packages from, a terminal prompt enter:"
7781
#: serverguide/C/network-auth.xml:1035(para)
7782
msgid "Once you have a working LDAP server, the <application>auth-client-config</application> and <application>libnss-ldap</application> packages take the pain out of configuring an Ubuntu client to authenticate using LDAP. To install the packages from, a terminal prompt enter:"
12317
#: serverguide/C/network-auth.xml:912(command)
7785
#: serverguide/C/network-auth.xml:1042(command)
12318
7786
msgid "sudo apt-get install libnss-ldap"
12321
#: serverguide/C/network-auth.xml:915(para)
12323
"During the install a menu dialog will ask you connection details about your "
12327
#: serverguide/C/network-auth.xml:919(para)
12329
"If you make a mistake when entering your information you can execute the "
12330
"dialog again using:"
12333
#: serverguide/C/network-auth.xml:924(command)
7789
#: serverguide/C/network-auth.xml:1045(para)
7790
msgid "During the install a menu dialog will ask you connection details about your LDAP server."
7793
#: serverguide/C/network-auth.xml:1049(para)
7794
msgid "If you make a mistake when entering your information you can execute the dialog again using:"
7797
#: serverguide/C/network-auth.xml:1054(command)
12334
7798
msgid "sudo dpkg-reconfigure ldap-auth-config"
12337
#: serverguide/C/network-auth.xml:927(para)
12339
"The results of the dialog can be seen in "
12340
"<filename>/etc/ldap.conf</filename>. If your server requires options not "
12341
"covered in the menu edit this file accordingly."
12344
#: serverguide/C/network-auth.xml:932(para)
12346
"Now that <application>libnss-ldap</application> is configured enable the "
12347
"<application>auth-client-config</application> LDAP profile by entering:"
12350
#: serverguide/C/network-auth.xml:938(command)
7801
#: serverguide/C/network-auth.xml:1057(para)
7802
msgid "The results of the dialog can be seen in <filename>/etc/ldap.conf</filename>. If your server requires options not covered in the menu edit this file accordingly."
7805
#: serverguide/C/network-auth.xml:1062(para)
7806
msgid "Now that <application>libnss-ldap</application> is configured enable the <application>auth-client-config</application> LDAP profile by entering:"
7809
#: serverguide/C/network-auth.xml:1068(command)
12351
7810
msgid "sudo auth-client-config -t nss -p lac_ldap"
12354
#: serverguide/C/network-auth.xml:943(para)
12356
"<emphasis>-t:</emphasis> only modifies "
12357
"<filename>/etc/nsswitch.conf</filename>."
7813
#: serverguide/C/network-auth.xml:1073(para)
7814
msgid "<emphasis>-t:</emphasis> only modifies <filename>/etc/nsswitch.conf</filename>."
12360
#: serverguide/C/network-auth.xml:948(para)
7817
#: serverguide/C/network-auth.xml:1078(para)
12361
7818
msgid "<emphasis>-p:</emphasis> name of the profile to enable, disable, etc."
12364
#: serverguide/C/network-auth.xml:953(para)
12366
"<emphasis>lac_ldap:</emphasis> the <application>auth-client-"
12367
"config</application> profile that is part of the <application>ldap-auth-"
12368
"config</application> package."
12371
#: serverguide/C/network-auth.xml:960(para)
12373
"Using the <application>pam-auth-update</application> utility, configure the "
12374
"system to use LDAP for authentication:"
12377
#: serverguide/C/network-auth.xml:965(command)
7821
#: serverguide/C/network-auth.xml:1083(para)
7822
msgid "<emphasis>lac_ldap:</emphasis> the <application>auth-client-config</application> profile that is part of the <application>ldap-auth-config</application> package."
7825
#: serverguide/C/network-auth.xml:1090(para)
7826
msgid "Using the <application>pam-auth-update</application> utility, configure the system to use LDAP for authentication:"
7829
#: serverguide/C/network-auth.xml:1095(command)
12378
7830
msgid "sudo pam-auth-update"
12381
#: serverguide/C/network-auth.xml:968(para)
12383
"From the <application>pam-auth-update</application> menu, choose LDAP and "
12384
"any other authentication mechanisms you need."
12387
#: serverguide/C/network-auth.xml:972(para)
12389
"You should now be able to login using user credentials stored in the LDAP "
12393
#: serverguide/C/network-auth.xml:977(para)
12395
"If you are going to use LDAP to store Samba users you will need to configure "
12396
"the server to authenticate using LDAP. See <xref linkend=\"samba-ldap\"/> "
12400
#: serverguide/C/network-auth.xml:985(title)
7833
#: serverguide/C/network-auth.xml:1098(para)
7834
msgid "From the <application>pam-auth-update</application> menu, choose LDAP and any other authentication mechanisms you need."
7837
#: serverguide/C/network-auth.xml:1102(para)
7838
msgid "You should now be able to login using user credentials stored in the LDAP directory."
7841
#: serverguide/C/network-auth.xml:1107(para)
7842
msgid "If you are going to use LDAP to store Samba users you will need to configure the server to authenticate using LDAP. See <xref linkend=\"samba-ldap\"/> for details."
7845
#: serverguide/C/network-auth.xml:1115(title)
12401
7846
msgid "User and Group Management"
12404
#: serverguide/C/network-auth.xml:987(para)
12406
"The <application>ldap-utils</application> package comes with multiple "
12407
"utilities to manage the directory, but the long string of options needed, "
12408
"can make them a burden to use. The <application>ldapscripts</application> "
12409
"package contains configurable scripts to easily manage LDAP users and groups."
7849
#: serverguide/C/network-auth.xml:1117(para)
7850
msgid "The <application>ldap-utils</application> package comes with multiple utilities to manage the directory, but the long string of options needed, can make them a burden to use. The <application>ldapscripts</application> package contains configurable scripts to easily manage LDAP users and groups."
12412
#: serverguide/C/network-auth.xml:993(para)
7853
#: serverguide/C/network-auth.xml:1123(para)
12413
7854
msgid "To install the package, from a terminal enter:"
12416
#: serverguide/C/network-auth.xml:998(command)
7857
#: serverguide/C/network-auth.xml:1128(command)
12417
7858
msgid "sudo apt-get install ldapscripts"
12420
#: serverguide/C/network-auth.xml:1001(para)
12422
"Next, edit the config file "
12423
"<filename>/etc/ldapscripts/ldapscripts.conf</filename> uncommenting and "
12424
"changing the following to match your environment:"
7861
#: serverguide/C/network-auth.xml:1131(para)
7862
msgid "Next, edit the config file <filename>/etc/ldapscripts/ldapscripts.conf</filename> uncommenting and changing the following to match your environment:"
12427
#: serverguide/C/network-auth.xml:1006(programlisting)
7865
#: serverguide/C/network-auth.xml:1136(programlisting)
12431
"SERVER=localhost\n"
12432
"BINDDN='cn=admin,dc=example,dc=com'\n"
12433
"BINDPWDFILE=\"/etc/ldapscripts/ldapscripts.passwd\"\n"
12434
"SUFFIX='dc=example,dc=com'\n"
12435
"GSUFFIX='ou=Groups'\n"
12436
"USUFFIX='ou=People'\n"
12437
"MSUFFIX='ou=Computers'\n"
12443
#: serverguide/C/network-auth.xml:1019(para)
12445
"Now, create the <filename>ldapscripts.passwd</filename> file to allow "
12446
"authenticated access to the directory:"
12449
#: serverguide/C/network-auth.xml:1024(command)
12451
"sudo sh -c \"echo -n 'secret' > /etc/ldapscripts/ldapscripts.passwd\""
12454
#: serverguide/C/network-auth.xml:1025(command)
7867
msgid "\nSERVER=localhost\nBINDDN='cn=admin,dc=example,dc=com'\nBINDPWDFILE=\"/etc/ldapscripts/ldapscripts.passwd\"\nSUFFIX='dc=example,dc=com'\nGSUFFIX='ou=Groups'\nUSUFFIX='ou=People'\nMSUFFIX='ou=Computers'\nGIDSTART=10000\nUIDSTART=10000\nMIDSTART=10000\n"
7870
#: serverguide/C/network-auth.xml:1149(para)
7871
msgid "Now, create the <filename>ldapscripts.passwd</filename> file to allow authenticated access to the directory:"
7874
#: serverguide/C/network-auth.xml:1154(command)
7875
msgid "sudo sh -c \"echo -n 'secret' > /etc/ldapscripts/ldapscripts.passwd\""
7878
#: serverguide/C/network-auth.xml:1155(command)
12455
7879
msgid "sudo chmod 400 /etc/ldapscripts/ldapscripts.passwd"
12458
#: serverguide/C/network-auth.xml:1029(para)
12460
"Replace <quote>secret</quote> with the actual password for your LDAP admin "
12464
#: serverguide/C/network-auth.xml:1034(para)
12466
"The <application>ldapscripts</application> are now ready to help manage your "
12467
"directory. The following are some examples of how to use the scripts:"
12470
#: serverguide/C/network-auth.xml:1041(para)
7882
#: serverguide/C/network-auth.xml:1159(para)
7883
msgid "Replace <quote>secret</quote> with the actual password for your LDAP admin user."
7886
#: serverguide/C/network-auth.xml:1164(para)
7887
msgid "The <application>ldapscripts</application> are now ready to help manage your directory. The following are some examples of how to use the scripts:"
7890
#: serverguide/C/network-auth.xml:1171(para)
12471
7891
msgid "Create a new user:"
12474
#: serverguide/C/network-auth.xml:1045(command)
7894
#: serverguide/C/network-auth.xml:1175(command)
12475
7895
msgid "sudo ldapadduser george example"
12478
#: serverguide/C/network-auth.xml:1047(para)
12480
"This will create a user with uid <emphasis role=\"italic\">george</emphasis> "
12481
"and set the user's primary group (gid) to <emphasis "
12482
"role=\"italic\">example</emphasis>"
7898
#: serverguide/C/network-auth.xml:1177(para)
7899
msgid "This will create a user with uid <emphasis role=\"italic\">george</emphasis> and set the user's primary group (gid) to <emphasis role=\"italic\">example</emphasis>"
12485
#: serverguide/C/network-auth.xml:1053(para)
7902
#: serverguide/C/network-auth.xml:1183(para)
12486
7903
msgid "Change a user's password:"
12489
#: serverguide/C/network-auth.xml:1057(command)
7906
#: serverguide/C/network-auth.xml:1187(command)
12490
7907
msgid "sudo ldapsetpasswd george"
12493
#: serverguide/C/network-auth.xml:1058(computeroutput)
7910
#: serverguide/C/network-auth.xml:1188(computeroutput)
12495
7912
msgid "Changing password for user uid=george,ou=People,dc=example,dc=com"
12498
#: serverguide/C/network-auth.xml:1059(userinput)
7915
#: serverguide/C/network-auth.xml:1189(userinput)
12500
7917
msgid "New Password: "
12503
#: serverguide/C/network-auth.xml:1060(userinput)
7920
#: serverguide/C/network-auth.xml:1190(userinput)
12505
7922
msgid "New Password (verify): "
12508
#: serverguide/C/network-auth.xml:1064(para)
7925
#: serverguide/C/network-auth.xml:1194(para)
12509
7926
msgid "Delete a user:"
12512
#: serverguide/C/network-auth.xml:1068(command)
7929
#: serverguide/C/network-auth.xml:1198(command)
12513
7930
msgid "sudo ldapdeleteuser george"
12516
#: serverguide/C/network-auth.xml:1073(para)
7933
#: serverguide/C/network-auth.xml:1203(para)
12517
7934
msgid "Add a group:"
12520
#: serverguide/C/network-auth.xml:1077(command)
7937
#: serverguide/C/network-auth.xml:1207(command)
12521
7938
msgid "sudo ldapaddgroup qa"
12524
#: serverguide/C/network-auth.xml:1081(para)
7941
#: serverguide/C/network-auth.xml:1211(para)
12525
7942
msgid "Delete a group:"
12528
#: serverguide/C/network-auth.xml:1085(command)
7945
#: serverguide/C/network-auth.xml:1215(command)
12529
7946
msgid "sudo ldapdeletegroup qa"
12532
#: serverguide/C/network-auth.xml:1089(para)
7949
#: serverguide/C/network-auth.xml:1219(para)
12533
7950
msgid "Add a user to a group:"
12536
#: serverguide/C/network-auth.xml:1093(command)
7953
#: serverguide/C/network-auth.xml:1223(command)
12537
7954
msgid "sudo ldapaddusertogroup george qa"
12540
#: serverguide/C/network-auth.xml:1095(para)
12542
"You should now see a <emphasis>memberUid</emphasis> attribute for the "
12543
"<emphasis role=\"italic\">qa</emphasis> group with a value of <emphasis "
12544
"role=\"italic\">george</emphasis>."
7957
#: serverguide/C/network-auth.xml:1225(para)
7958
msgid "You should now see a <emphasis>memberUid</emphasis> attribute for the <emphasis role=\"italic\">qa</emphasis> group with a value of <emphasis role=\"italic\">george</emphasis>."
12547
#: serverguide/C/network-auth.xml:1101(para)
7961
#: serverguide/C/network-auth.xml:1231(para)
12548
7962
msgid "Remove a user from a group:"
12551
#: serverguide/C/network-auth.xml:1105(command)
7965
#: serverguide/C/network-auth.xml:1235(command)
12552
7966
msgid "sudo ldapdeleteuserfromgroup george qa"
12555
#: serverguide/C/network-auth.xml:1107(para)
12557
"The <emphasis>memberUid</emphasis> attribute should now be removed from the "
12558
"<emphasis role=\"italic\">qa</emphasis> group."
12561
#: serverguide/C/network-auth.xml:1113(para)
12563
"The <application>ldapmodifyuser</application> script allows you to add, "
12564
"remove, or replace a user's attributes. The script uses the same syntax as "
12565
"the <application>ldapmodify</application> utility. For example:"
12568
#: serverguide/C/network-auth.xml:1118(command)
7969
#: serverguide/C/network-auth.xml:1237(para)
7970
msgid "The <emphasis>memberUid</emphasis> attribute should now be removed from the <emphasis role=\"italic\">qa</emphasis> group."
7973
#: serverguide/C/network-auth.xml:1243(para)
7974
msgid "The <application>ldapmodifyuser</application> script allows you to add, remove, or replace a user's attributes. The script uses the same syntax as the <application>ldapmodify</application> utility. For example:"
7977
#: serverguide/C/network-auth.xml:1248(command)
12569
7978
msgid "sudo ldapmodifyuser george"
12572
#: serverguide/C/network-auth.xml:1119(computeroutput)
12575
"# About to modify the following entry :\n"
12576
"dn: uid=george,ou=People,dc=example,dc=com\n"
12577
"objectClass: account\n"
12578
"objectClass: posixAccount\n"
12581
"uidNumber: 1001\n"
12582
"gidNumber: 1001\n"
12583
"homeDirectory: /home/george\n"
12584
"loginShell: /bin/bash\n"
12586
"description: User account\n"
12587
"userPassword:: e1NTSEF9eXFsTFcyWlhwWkF1eGUybVdFWHZKRzJVMjFTSG9vcHk=\n"
12589
"# Enter your modifications here, end with CTRL-D.\n"
12590
"dn: uid=george,ou=People,dc=example,dc=com"
12593
#: serverguide/C/network-auth.xml:1135(userinput)
12597
"gecos: George Carlin"
12600
#: serverguide/C/network-auth.xml:1138(para)
12602
"The user's <emphasis>gecos</emphasis> should now be <quote>George "
12606
#: serverguide/C/network-auth.xml:1143(para)
12608
"Another great feature of <application>ldapscripts</application>, is the "
12609
"template system. Templates allow you to customize the attributes of user, "
12610
"group, and machine objectes. For example, to enable the "
12611
"<emphasis>user</emphasis> template edit "
12612
"<filename>/etc/ldapscripts/ldapscripts.conf</filename> changing:"
12615
#: serverguide/C/network-auth.xml:1150(programlisting)
12619
"UTEMPLATE=\"/etc/ldapscripts/ldapadduser.template\"\n"
12622
#: serverguide/C/network-auth.xml:1154(para)
12624
"There are <emphasis role=\"italic\">sample</emphasis> templates in the "
12625
"<filename>/etc/ldapscripts</filename> directory. Copy or rename the "
12626
"<filename>ldapadduser.template.sample</filename> file to "
12627
"<filename>/etc/ldapscripts/ldapadduser.template</filename>:"
12630
#: serverguide/C/network-auth.xml:1161(command)
12632
"sudo cp /etc/ldapscripts/ldapadduser.template.sample "
12633
"/etc/ldapscripts/ldapadduser.template"
12636
#: serverguide/C/network-auth.xml:1164(para)
12638
"Edit the new template to add the desired attributes. The following will "
12639
"create new user's as with an <emphasis>objectClass</emphasis> of "
12640
"<emphasis>inetOrgPerson</emphasis>:"
12643
#: serverguide/C/network-auth.xml:1169(programlisting)
12647
"dn: uid=<user>,<usuffix>,<suffix>\n"
12648
"objectClass: inetOrgPerson\n"
12649
"objectClass: posixAccount\n"
12650
"cn: <user>\n"
12651
"sn: <ask>\n"
12652
"uid: <user>\n"
12653
"uidNumber: <uid>\n"
12654
"gidNumber: <gid>\n"
12655
"homeDirectory: <home>\n"
12656
"loginShell: <shell>\n"
12657
"gecos: <user>\n"
12658
"description: User account\n"
12659
"title: Employee\n"
12662
#: serverguide/C/network-auth.xml:1185(para)
12664
"Notice the <emphasis><ask></emphasis> option used for the "
12665
"<emphasis>cn</emphasis> value. Using <ask> will configure "
12666
"<application>ldapadduser</application> to prompt you for the attribute value "
12667
"during user creation."
12670
#: serverguide/C/network-auth.xml:1193(para)
12672
"There are more useful scripts in the package, to see a full list enter: "
12673
"<command>dpkg -L ldapscripts | grep bin</command>"
12676
#: serverguide/C/network-auth.xml:1202(para)
12678
"For more information see <ulink url=\"http://www.openldap.org/\">OpenLDAP "
12679
"Home Page</ulink>"
12682
#: serverguide/C/network-auth.xml:1207(para)
12684
"Though starting to show it's age, a great source for in depth LDAP "
12685
"information is O'Reilly's <ulink "
12686
"url=\"http://www.oreilly.com/catalog/ldapsa/\">LDAP System "
12687
"Administration</ulink>"
12690
#: serverguide/C/network-auth.xml:1213(para)
12692
"Packt's <ulink url=\"http://www.packtpub.com/OpenLDAP-Developers-Server-Open-"
12693
"Source-Linux/book\">Mastering OpenLDAP</ulink> is a great reference covering "
12694
"newer versions of OpenLDAP."
12697
#: serverguide/C/network-auth.xml:1219(para)
12699
"For more information on <application>auth-client-config</application> see "
12700
"the man page: <command>man auth-client-config</command>."
12703
#: serverguide/C/network-auth.xml:1224(para)
12705
"For more details regarding the <application>ldapscripts</application> "
12706
"package see the man pages: <command>man ldapscripts</command>, <command>man "
12707
"ldapadduser</command>, <command>man ldapaddgroup</command>, etc."
12710
#: serverguide/C/network-auth.xml:1234(title)
7981
#: serverguide/C/network-auth.xml:1249(computeroutput)
7983
msgid "# About to modify the following entry :\ndn: uid=george,ou=People,dc=example,dc=com\nobjectClass: account\nobjectClass: posixAccount\ncn: george\nuid: george\nuidNumber: 1001\ngidNumber: 1001\nhomeDirectory: /home/george\nloginShell: /bin/bash\ngecos: george\ndescription: User account\nuserPassword:: e1NTSEF9eXFsTFcyWlhwWkF1eGUybVdFWHZKRzJVMjFTSG9vcHk=\n\n# Enter your modifications here, end with CTRL-D.\ndn: uid=george,ou=People,dc=example,dc=com"
7986
#: serverguide/C/network-auth.xml:1265(userinput)
7988
msgid "replace: gecos\ngecos: George Carlin"
7991
#: serverguide/C/network-auth.xml:1268(para)
7992
msgid "The user's <emphasis>gecos</emphasis> should now be <quote>George Carlin</quote>."
7995
#: serverguide/C/network-auth.xml:1273(para)
7996
msgid "Another great feature of <application>ldapscripts</application>, is the template system. Templates allow you to customize the attributes of user, group, and machine objectes. For example, to enable the <emphasis>user</emphasis> template edit <filename>/etc/ldapscripts/ldapscripts.conf</filename> changing:"
7999
#: serverguide/C/network-auth.xml:1280(programlisting)
8001
msgid "\nUTEMPLATE=\"/etc/ldapscripts/ldapadduser.template\"\n"
8004
#: serverguide/C/network-auth.xml:1284(para)
8005
msgid "There are <emphasis role=\"italic\">sample</emphasis> templates in the <filename>/etc/ldapscripts</filename> directory. Copy or rename the <filename>ldapadduser.template.sample</filename> file to <filename>/etc/ldapscripts/ldapadduser.template</filename>:"
8008
#: serverguide/C/network-auth.xml:1291(command)
8009
msgid "sudo cp /etc/ldapscripts/ldapadduser.template.sample /etc/ldapscripts/ldapadduser.template"
8012
#: serverguide/C/network-auth.xml:1294(para)
8013
msgid "Edit the new template to add the desired attributes. The following will create new user's as with an <emphasis>objectClass</emphasis> of <emphasis>inetOrgPerson</emphasis>:"
8016
#: serverguide/C/network-auth.xml:1299(programlisting)
8018
msgid "\ndn: uid=<user>,<usuffix>,<suffix>\nobjectClass: inetOrgPerson\nobjectClass: posixAccount\ncn: <user>\nsn: <ask>\nuid: <user>\nuidNumber: <uid>\ngidNumber: <gid>\nhomeDirectory: <home>\nloginShell: <shell>\ngecos: <user>\ndescription: User account\ntitle: Employee\n"
8021
#: serverguide/C/network-auth.xml:1315(para)
8022
msgid "Notice the <emphasis><ask></emphasis> option used for the <emphasis>cn</emphasis> value. Using <ask> will configure <application>ldapadduser</application> to prompt you for the attribute value during user creation."
8025
#: serverguide/C/network-auth.xml:1323(para)
8026
msgid "There are more useful scripts in the package, to see a full list enter: <command>dpkg -L ldapscripts | grep bin</command>"
8029
#: serverguide/C/network-auth.xml:1332(para)
8030
msgid "For more information see <ulink url=\"http://www.openldap.org/\">OpenLDAP Home Page</ulink>"
8033
#: serverguide/C/network-auth.xml:1337(para)
8034
msgid "Though starting to show it's age, a great source for in depth LDAP information is O'Reilly's <ulink url=\"http://www.oreilly.com/catalog/ldapsa/\">LDAP System Administration</ulink>"
8037
#: serverguide/C/network-auth.xml:1343(para)
8038
msgid "Packt's <ulink url=\"http://www.packtpub.com/OpenLDAP-Developers-Server-Open-Source-Linux/book\">Mastering OpenLDAP</ulink> is a great reference covering newer versions of OpenLDAP."
8041
#: serverguide/C/network-auth.xml:1349(para)
8042
msgid "For more information on <application>auth-client-config</application> see the man page: <command>man auth-client-config</command>."
8045
#: serverguide/C/network-auth.xml:1354(para)
8046
msgid "For more details regarding the <application>ldapscripts</application> package see the man pages: <command>man ldapscripts</command>, <command>man ldapadduser</command>, <command>man ldapaddgroup</command>, etc."
8049
#: serverguide/C/network-auth.xml:1364(title)
12711
8050
msgid "Samba and LDAP"
12714
#: serverguide/C/network-auth.xml:1236(para)
12716
"This section covers configuring Samba to use LDAP for user, group, and "
12717
"machine account information and authentication. The assumption is, you "
12718
"already have a working OpenLDAP directory installed and the server is "
12719
"configured to use it for authentication. See <xref linkend=\"openldap-"
12720
"server\"/> and <xref linkend=\"openldap-auth-config\"/> for details on "
12721
"setting up OpenLDAP. For more information on installing and configuring "
12722
"Samba see <xref linkend=\"windows-networking\"/>."
12725
#: serverguide/C/network-auth.xml:1246(para)
12727
"There are three packages needed when integrating Samba with LDAP. "
12728
"<application>samba</application>, <application>samba-doc</application>, and "
12729
"<application>smbldap-tools</application> packages . To install the packages, "
12730
"from a terminal enter:"
12733
#: serverguide/C/network-auth.xml:1252(command)
8053
#: serverguide/C/network-auth.xml:1366(para)
8054
msgid "This section covers configuring Samba to use LDAP for user, group, and machine account information and authentication. The assumption is, you already have a working OpenLDAP directory installed and the server is configured to use it for authentication. See <xref linkend=\"openldap-server\"/> and <xref linkend=\"openldap-auth-config\"/> for details on setting up OpenLDAP. For more information on installing and configuring Samba see <xref linkend=\"windows-networking\"/>."
8057
#: serverguide/C/network-auth.xml:1376(para)
8058
msgid "There are three packages needed when integrating Samba with LDAP. <application>samba</application>, <application>samba-doc</application>, and <application>smbldap-tools</application> packages . To install the packages, from a terminal enter:"
8061
#: serverguide/C/network-auth.xml:1382(command)
12734
8062
msgid "sudo apt-get install samba samba-doc smbldap-tools"
12737
#: serverguide/C/network-auth.xml:1255(para)
12739
"Strictly speaking the <application>smbldap-tools</application> package isn't "
12740
"needed, but unless you have another package or custom scripts, a method of "
12741
"managing users, groups, and computer accounts is needed."
8065
#: serverguide/C/network-auth.xml:1385(para)
8066
msgid "Strictly speaking the <application>smbldap-tools</application> package isn't needed, but unless you have another package or custom scripts, a method of managing users, groups, and computer accounts is needed."
12744
#: serverguide/C/network-auth.xml:1262(title)
8069
#: serverguide/C/network-auth.xml:1392(title)
12745
8070
msgid "OpenLDAP Configuration"
12748
#: serverguide/C/network-auth.xml:1264(para)
12750
"In order for Samba to use OpenLDAP as a <emphasis>passdb backend</emphasis>, "
12751
"the user objects in the directory will need additional attributes. This "
12752
"section assumes you want Samba to be configured as a Windows NT domain "
12753
"controller, and will add the necessary LDAP objects and attributes."
12756
#: serverguide/C/network-auth.xml:1272(para)
12758
"The Samba attributes are defined in the <filename>samba.schema</filename> "
12759
"file which is part of the <application>samba-doc</application> package. The "
12760
"schema file needs to be unzipped and copied to "
12761
"<filename>/etc/ldap/schema</filename>. From a terminal prompt enter:"
12764
#: serverguide/C/network-auth.xml:1279(command)
12766
"sudo cp /usr/share/doc/samba-doc/examples/LDAP/samba.schema.gz "
12767
"/etc/ldap/schema/"
12770
#: serverguide/C/network-auth.xml:1280(command)
8073
#: serverguide/C/network-auth.xml:1394(para)
8074
msgid "In order for Samba to use OpenLDAP as a <emphasis>passdb backend</emphasis>, the user objects in the directory will need additional attributes. This section assumes you want Samba to be configured as a Windows NT domain controller, and will add the necessary LDAP objects and attributes."
8077
#: serverguide/C/network-auth.xml:1402(para)
8078
msgid "The Samba attributes are defined in the <filename>samba.schema</filename> file which is part of the <application>samba-doc</application> package. The schema file needs to be unzipped and copied to <filename>/etc/ldap/schema</filename>. From a terminal prompt enter:"
8081
#: serverguide/C/network-auth.xml:1409(command)
8082
msgid "sudo cp /usr/share/doc/samba-doc/examples/LDAP/samba.schema.gz /etc/ldap/schema/"
8085
#: serverguide/C/network-auth.xml:1410(command)
12771
8086
msgid "sudo gzip -d /etc/ldap/schema/samba.schema.gz"
12774
#: serverguide/C/network-auth.xml:1286(para)
12776
"The <emphasis>samba</emphasis> schema needs to be added to the "
12777
"<emphasis>cn=config</emphasis> tree. The procedure to add a new schema to "
12778
"<application>slapd</application> is also detailed in <xref "
12779
"linkend=\"openldap-configuration\"/>."
12782
#: serverguide/C/network-auth.xml:1294(para) serverguide/C/network-auth.xml:2318(para)
12784
"First, create a configuration file named "
12785
"<filename>schema_convert.conf</filename>, or a similar descriptive name, "
12786
"containing the following lines:"
12789
#: serverguide/C/network-auth.xml:1299(programlisting)
12793
"include /etc/ldap/schema/core.schema\n"
12794
"include /etc/ldap/schema/collective.schema\n"
12795
"include /etc/ldap/schema/corba.schema\n"
12796
"include /etc/ldap/schema/cosine.schema\n"
12797
"include /etc/ldap/schema/duaconf.schema\n"
12798
"include /etc/ldap/schema/dyngroup.schema\n"
12799
"include /etc/ldap/schema/inetorgperson.schema\n"
12800
"include /etc/ldap/schema/java.schema\n"
12801
"include /etc/ldap/schema/misc.schema\n"
12802
"include /etc/ldap/schema/nis.schema\n"
12803
"include /etc/ldap/schema/openldap.schema\n"
12804
"include /etc/ldap/schema/ppolicy.schema\n"
12805
"include /etc/ldap/schema/samba.schema\n"
12808
#: serverguide/C/network-auth.xml:1329(para) serverguide/C/network-auth.xml:2353(para)
12810
"Now use <application>slapcat</application> to convert the schema files:"
12813
#: serverguide/C/network-auth.xml:1334(command)
12815
"slapcat -f schema_convert.conf -F /tmp/ldif_output -n0 -s "
12816
"\"cn={12}samba,cn=schema,cn=config\" > /tmp/cn=samba.ldif"
12819
#: serverguide/C/network-auth.xml:1337(para) serverguide/C/network-auth.xml:2361(para)
12821
"Change the above file and path names to match your own if they are different."
12824
#: serverguide/C/network-auth.xml:1344(para)
12826
"Edit the generated <filename>/tmp/cn\\=samba.ldif</filename> file, changing "
12827
"the following attributes:"
12830
#: serverguide/C/network-auth.xml:1348(programlisting)
12834
"dn: cn=samba,cn=schema,cn=config\n"
12839
#: serverguide/C/network-auth.xml:1358(programlisting)
12843
"structuralObjectClass: olcSchemaConfig\n"
12844
"entryUUID: b53b75ca-083f-102d-9fff-2f64fd123c95\n"
12845
"creatorsName: cn=config\n"
12846
"createTimestamp: 20080827045234Z\n"
12847
"entryCSN: 20080827045234.341425Z#000000#000#000000\n"
12848
"modifiersName: cn=config\n"
12849
"modifyTimestamp: 20080827045234Z\n"
12852
#: serverguide/C/network-auth.xml:1383(command)
8089
#: serverguide/C/network-auth.xml:1416(para)
8090
msgid "The <emphasis>samba</emphasis> schema needs to be added to the <emphasis>cn=config</emphasis> tree. The procedure to add a new schema to <application>slapd</application> is also detailed in <xref linkend=\"openldap-configuration\"/>."
8093
#: serverguide/C/network-auth.xml:1424(para) serverguide/C/network-auth.xml:2448(para)
8094
msgid "First, create a configuration file named <filename>schema_convert.conf</filename>, or a similar descriptive name, containing the following lines:"
8097
#: serverguide/C/network-auth.xml:1429(programlisting)
8099
msgid "\ninclude /etc/ldap/schema/core.schema\ninclude /etc/ldap/schema/collective.schema\ninclude /etc/ldap/schema/corba.schema\ninclude /etc/ldap/schema/cosine.schema\ninclude /etc/ldap/schema/duaconf.schema\ninclude /etc/ldap/schema/dyngroup.schema\ninclude /etc/ldap/schema/inetorgperson.schema\ninclude /etc/ldap/schema/java.schema\ninclude /etc/ldap/schema/misc.schema\ninclude /etc/ldap/schema/nis.schema\ninclude /etc/ldap/schema/openldap.schema\ninclude /etc/ldap/schema/ppolicy.schema\ninclude /etc/ldap/schema/samba.schema\n"
8102
#: serverguide/C/network-auth.xml:1459(para) serverguide/C/network-auth.xml:2483(para)
8103
msgid "Now use <application>slapcat</application> to convert the schema files:"
8106
#: serverguide/C/network-auth.xml:1464(command)
8107
msgid "slapcat -f schema_convert.conf -F /tmp/ldif_output -n0 -s \"cn={12}samba,cn=schema,cn=config\" > /tmp/cn=samba.ldif"
8110
#: serverguide/C/network-auth.xml:1467(para) serverguide/C/network-auth.xml:2491(para)
8111
msgid "Change the above file and path names to match your own if they are different."
8114
#: serverguide/C/network-auth.xml:1474(para)
8115
msgid "Edit the generated <filename>/tmp/cn\\=samba.ldif</filename> file, changing the following attributes:"
8118
#: serverguide/C/network-auth.xml:1478(programlisting)
8120
msgid "\ndn: cn=samba,cn=schema,cn=config\n...\ncn: samba\n"
8123
#: serverguide/C/network-auth.xml:1488(programlisting)
8125
msgid "\nstructuralObjectClass: olcSchemaConfig\nentryUUID: b53b75ca-083f-102d-9fff-2f64fd123c95\ncreatorsName: cn=config\ncreateTimestamp: 20080827045234Z\nentryCSN: 20080827045234.341425Z#000000#000#000000\nmodifiersName: cn=config\nmodifyTimestamp: 20080827045234Z\n"
8128
#: serverguide/C/network-auth.xml:1513(command)
12853
8129
msgid "ldapadd -x -D cn=admin,cn=config -W -f /tmp/cn\\=samba.ldif"
12856
#: serverguide/C/network-auth.xml:1389(para)
12858
"There should now be a <emphasis>dn: "
12859
"cn={X}misc,cn=schema,cn=config</emphasis>, where \"X\" is the next "
12860
"sequential schema, entry in the cn=config tree."
12863
#: serverguide/C/network-auth.xml:1397(para)
12865
"Copy and paste the following into a file named "
12866
"<filename>samba_indexes.ldif</filename>:"
12869
#: serverguide/C/network-auth.xml:1401(programlisting)
8132
#: serverguide/C/network-auth.xml:1519(para)
8133
msgid "There should now be a <emphasis>dn: cn={X}misc,cn=schema,cn=config</emphasis>, where \"X\" is the next sequential schema, entry in the cn=config tree."
8136
#: serverguide/C/network-auth.xml:1527(para)
8137
msgid "Copy and paste the following into a file named <filename>samba_indexes.ldif</filename>:"
8140
#: serverguide/C/network-auth.xml:1531(programlisting)
12873
"dn: olcDatabase={1}hdb,cn=config\n"
12874
"changetype: modify\n"
12875
"add: olcDbIndex\n"
12876
"olcDbIndex: uidNumber eq\n"
12877
"olcDbIndex: gidNumber eq\n"
12878
"olcDbIndex: loginShell eq\n"
12879
"olcDbIndex: uid eq,pres,sub\n"
12880
"olcDbIndex: memberUid eq,pres,sub\n"
12881
"olcDbIndex: uniqueMember eq,pres\n"
12882
"olcDbIndex: sambaSID eq\n"
12883
"olcDbIndex: sambaPrimaryGroupSID eq\n"
12884
"olcDbIndex: sambaGroupType eq\n"
12885
"olcDbIndex: sambaSIDList eq\n"
12886
"olcDbIndex: sambaDomainName eq\n"
12887
"olcDbIndex: default sub\n"
12890
#: serverguide/C/network-auth.xml:1419(para)
12892
"Using the <application>ldapmodify</application> utility load the new indexes:"
12895
#: serverguide/C/network-auth.xml:1424(command)
8142
msgid "\ndn: olcDatabase={1}hdb,cn=config\nchangetype: modify\nadd: olcDbIndex\nolcDbIndex: uidNumber eq\nolcDbIndex: gidNumber eq\nolcDbIndex: loginShell eq\nolcDbIndex: uid eq,pres,sub\nolcDbIndex: memberUid eq,pres,sub\nolcDbIndex: uniqueMember eq,pres\nolcDbIndex: sambaSID eq\nolcDbIndex: sambaPrimaryGroupSID eq\nolcDbIndex: sambaGroupType eq\nolcDbIndex: sambaSIDList eq\nolcDbIndex: sambaDomainName eq\nolcDbIndex: default sub\n"
8145
#: serverguide/C/network-auth.xml:1549(para)
8146
msgid "Using the <application>ldapmodify</application> utility load the new indexes:"
8149
#: serverguide/C/network-auth.xml:1554(command)
12896
8150
msgid "ldapmodify -x -D cn=admin,cn=config -W -f samba_indexes.ldif"
12899
#: serverguide/C/network-auth.xml:1426(para)
12901
"If all went well you should see the new indexes using "
12902
"<application>ldapsearch</application>:"
12905
#: serverguide/C/network-auth.xml:1431(command)
12907
"ldapsearch -xLLL -D cn=admin,cn=config -x -b cn=config -W olcDatabase={1}hdb"
12910
#: serverguide/C/network-auth.xml:1437(para)
12912
"Next, configure the <application>smbldap-tools</application> package to "
12913
"match your environment. The package comes with a configuration script that "
12914
"will ask questions about the needed options. To run the script enter:"
12917
#: serverguide/C/network-auth.xml:1443(command)
8153
#: serverguide/C/network-auth.xml:1556(para)
8154
msgid "If all went well you should see the new indexes using <application>ldapsearch</application>:"
8157
#: serverguide/C/network-auth.xml:1561(command)
8158
msgid "ldapsearch -xLLL -D cn=admin,cn=config -x -b cn=config -W olcDatabase={1}hdb"
8161
#: serverguide/C/network-auth.xml:1567(para)
8162
msgid "Next, configure the <application>smbldap-tools</application> package to match your environment. The package comes with a configuration script that will ask questions about the needed options. To run the script enter:"
8165
#: serverguide/C/network-auth.xml:1573(command)
12918
8166
msgid "sudo gzip -d /usr/share/doc/smbldap-tools/configure.pl.gz"
12921
#: serverguide/C/network-auth.xml:1444(command)
8169
#: serverguide/C/network-auth.xml:1574(command)
12922
8170
msgid "sudo perl /usr/share/doc/smbldap-tools/configure.pl"
12925
#: serverguide/C/network-auth.xml:1447(para)
12927
"Once you have answered the questions, there should be <filename>/etc/smbldap-"
12928
"tools/smbldap.conf</filename> and <filename>/etc/smbldap-"
12929
"tools/smbldap_bind.conf</filename> files. These files are generated by the "
12930
"configure script, so if you made any mistakes while executing the script it "
12931
"may be simpler to edit the file appropriately."
12934
#: serverguide/C/network-auth.xml:1457(para)
12936
"The <application>smbldap-populate</application> script will add the "
12937
"necessary users, groups, and LDAP objects required for Samba. It is a good "
12938
"idea to make a backup LDAP Data Interchange Format (LDIF) file with "
12939
"<application>slapcat</application> before executing the command:"
12942
#: serverguide/C/network-auth.xml:1464(command)
8173
#: serverguide/C/network-auth.xml:1577(para)
8174
msgid "Once you have answered the questions, there should be <filename>/etc/smbldap-tools/smbldap.conf</filename> and <filename>/etc/smbldap-tools/smbldap_bind.conf</filename> files. These files are generated by the configure script, so if you made any mistakes while executing the script it may be simpler to edit the file appropriately."
8177
#: serverguide/C/network-auth.xml:1587(para)
8178
msgid "The <application>smbldap-populate</application> script will add the necessary users, groups, and LDAP objects required for Samba. It is a good idea to make a backup LDAP Data Interchange Format (LDIF) file with <application>slapcat</application> before executing the command:"
8181
#: serverguide/C/network-auth.xml:1594(command)
12943
8182
msgid "sudo slapcat -l backup.ldif"
12946
#: serverguide/C/network-auth.xml:1470(para)
12948
"Once you have a current backup execute <application>smbldap-"
12949
"populate</application> by entering:"
8185
#: serverguide/C/network-auth.xml:1600(para)
8186
msgid "Once you have a current backup execute <application>smbldap-populate</application> by entering:"
12952
#: serverguide/C/network-auth.xml:1475(command)
8189
#: serverguide/C/network-auth.xml:1605(command)
12953
8190
msgid "sudo smbldap-populate"
12956
#: serverguide/C/network-auth.xml:1479(para)
12958
"You can create an LDIF file containing the new Samba objects by executing "
12959
"<command>sudo smbldap-populate -e samba.ldif</command>. This allows you to "
12960
"look over the changes making sure everything is correct."
12963
#: serverguide/C/network-auth.xml:1487(para)
12965
"Your LDAP directory now has the necessary domain information to authenticate "
12969
#: serverguide/C/network-auth.xml:1493(title)
8193
#: serverguide/C/network-auth.xml:1609(para)
8194
msgid "You can create an LDIF file containing the new Samba objects by executing <command>sudo smbldap-populate -e samba.ldif</command>. This allows you to look over the changes making sure everything is correct."
8197
#: serverguide/C/network-auth.xml:1617(para)
8198
msgid "Your LDAP directory now has the necessary domain information to authenticate Samba users."
8201
#: serverguide/C/network-auth.xml:1623(title)
12970
8202
msgid "Samba Configuration"
12973
#: serverguide/C/network-auth.xml:1495(para)
12975
"There a multiple ways to configure Samba for details on some common "
12976
"configurations see <xref linkend=\"windows-networking\"/>. To configure "
12977
"Samba to use LDAP, edit the main Samba configuration file "
12978
"<filename>/etc/samba/smb.conf</filename> commenting the <emphasis>passdb "
12979
"backend</emphasis> option and adding the following:"
8205
#: serverguide/C/network-auth.xml:1625(para)
8206
msgid "There a multiple ways to configure Samba for details on some common configurations see <xref linkend=\"windows-networking\"/>. To configure Samba to use LDAP, edit the main Samba configuration file <filename>/etc/samba/smb.conf</filename> commenting the <emphasis>passdb backend</emphasis> option and adding the following:"
12982
#: serverguide/C/network-auth.xml:1501(programlisting)
8209
#: serverguide/C/network-auth.xml:1631(programlisting)
12986
"# passdb backend = tdbsam\n"
12988
"# LDAP Settings\n"
12989
" passdb backend = ldapsam:ldap://hostname\n"
12990
" ldap suffix = dc=example,dc=com\n"
12991
" ldap user suffix = ou=People\n"
12992
" ldap group suffix = ou=Groups\n"
12993
" ldap machine suffix = ou=Computers\n"
12994
" ldap idmap suffix = ou=Idmap\n"
12995
" ldap admin dn = cn=admin,dc=example,dc=com\n"
12996
" ldap ssl = start tls\n"
12997
" ldap passwd sync = yes\n"
12999
" add machine script = sudo /usr/sbin/smbldap-useradd -t 0 -w \"%u\"\n"
8211
msgid "\n# passdb backend = tdbsam\n\n# LDAP Settings\n passdb backend = ldapsam:ldap://hostname\n ldap suffix = dc=example,dc=com\n ldap user suffix = ou=People\n ldap group suffix = ou=Groups\n ldap machine suffix = ou=Computers\n ldap idmap suffix = ou=Idmap\n ldap admin dn = cn=admin,dc=example,dc=com\n ldap ssl = start tls\n ldap passwd sync = yes\n...\n add machine script = sudo /usr/sbin/smbldap-useradd -t 0 -w \"%u\"\n"
13002
#: serverguide/C/network-auth.xml:1518(para)
8214
#: serverguide/C/network-auth.xml:1648(para)
13003
8215
msgid "Restart <application>samba</application> to enable the new settings:"
13006
#: serverguide/C/network-auth.xml:1526(para)
13008
"Now Samba needs to know the LDAP admin password. From a terminal prompt "
8218
#: serverguide/C/network-auth.xml:1656(para)
8219
msgid "Now Samba needs to know the LDAP admin password. From a terminal prompt enter:"
13012
#: serverguide/C/network-auth.xml:1531(command)
8222
#: serverguide/C/network-auth.xml:1661(command)
13013
8223
msgid "sudo smbpasswd -w secret"
13016
#: serverguide/C/network-auth.xml:1535(para)
13018
"Replacing <emphasis role=\"italic\">secret</emphasis> with your LDAP admin "
13022
#: serverguide/C/network-auth.xml:1540(para)
13024
"If you currently have users in LDAP, and you want them to authenticate using "
13025
"Samba, they will need some Samba attributes defined in the "
13026
"<filename>samba.schema</filename> file. Add the Samba attributes to existing "
13027
"users using the <application>smbpasswd</application> utility, replacing "
13028
"<emphasis role=\"italic\">username</emphasis> with an actual user:"
13031
#: serverguide/C/network-auth.xml:1548(command)
8226
#: serverguide/C/network-auth.xml:1665(para)
8227
msgid "Replacing <emphasis role=\"italic\">secret</emphasis> with your LDAP admin password."
8230
#: serverguide/C/network-auth.xml:1670(para)
8231
msgid "If you currently have users in LDAP, and you want them to authenticate using Samba, they will need some Samba attributes defined in the <filename>samba.schema</filename> file. Add the Samba attributes to existing users using the <application>smbpasswd</application> utility, replacing <emphasis role=\"italic\">username</emphasis> with an actual user:"
8234
#: serverguide/C/network-auth.xml:1678(command)
13032
8235
msgid "sudo smbpasswd -a username"
13035
#: serverguide/C/network-auth.xml:1551(para)
8238
#: serverguide/C/network-auth.xml:1681(para)
13036
8239
msgid "You will then be asked to enter the user's password."
13039
#: serverguide/C/network-auth.xml:1555(para)
13041
"To add new user, group, and machine accounts use the utilities from the "
13042
"<application>smbldap-tools</application> package. Here are some examples:"
13045
#: serverguide/C/network-auth.xml:1562(para)
13047
"To add a new user to LDAP with Samba attributes enter the following, "
13048
"replacing username with an actual username:"
13051
#: serverguide/C/network-auth.xml:1566(command)
8242
#: serverguide/C/network-auth.xml:1685(para)
8243
msgid "To add new user, group, and machine accounts use the utilities from the <application>smbldap-tools</application> package. Here are some examples:"
8246
#: serverguide/C/network-auth.xml:1692(para)
8247
msgid "To add a new user to LDAP with Samba attributes enter the following, replacing username with an actual username:"
8250
#: serverguide/C/network-auth.xml:1696(command)
13052
8251
msgid "sudo smbldap-useradd -a -P username"
13055
#: serverguide/C/network-auth.xml:1568(para)
13057
"The <emphasis>-a</emphasis> option adds the Samba attributes, and the "
13058
"<emphasis>-P</emphasis> options calls the <application>smbldap-"
13059
"passwd</application> utility after the user is created allowing you to enter "
13060
"a password for the user."
8254
#: serverguide/C/network-auth.xml:1698(para)
8255
msgid "The <emphasis>-a</emphasis> option adds the Samba attributes, and the <emphasis>-P</emphasis> options calls the <application>smbldap-passwd</application> utility after the user is created allowing you to enter a password for the user."
13063
#: serverguide/C/network-auth.xml:1574(para)
8258
#: serverguide/C/network-auth.xml:1704(para)
13064
8259
msgid "To remove a user from the directory enter:"
13067
#: serverguide/C/network-auth.xml:1578(command)
8262
#: serverguide/C/network-auth.xml:1708(command)
13068
8263
msgid "sudo smbldap-userdel username"
13071
#: serverguide/C/network-auth.xml:1580(para)
13073
"The <application>smbldap-userdel</application> utility also has a <emphasis>-"
13074
"r</emphasis> option to remove the user's home directory."
13077
#: serverguide/C/network-auth.xml:1585(para)
13079
"Use <application>smbldap-groupadd</application> to add a group, replacing "
13080
"groupname with an appropriate group:"
13083
#: serverguide/C/network-auth.xml:1589(command)
8266
#: serverguide/C/network-auth.xml:1710(para)
8267
msgid "The <application>smbldap-userdel</application> utility also has a <emphasis>-r</emphasis> option to remove the user's home directory."
8270
#: serverguide/C/network-auth.xml:1715(para)
8271
msgid "Use <application>smbldap-groupadd</application> to add a group, replacing groupname with an appropriate group:"
8274
#: serverguide/C/network-auth.xml:1719(command)
13084
8275
msgid "sudo smbldap-groupadd -a groupname"
13087
#: serverguide/C/network-auth.xml:1591(para)
13089
"Similar to <application>smbldap-useradd</application>, the <emphasis>-"
13090
"a</emphasis> adds the Samba attributes."
13093
#: serverguide/C/network-auth.xml:1596(para)
13095
"To add a user to a group use <application>smbldap-groupmod</application>:"
13098
#: serverguide/C/network-auth.xml:1600(command)
8278
#: serverguide/C/network-auth.xml:1721(para)
8279
msgid "Similar to <application>smbldap-useradd</application>, the <emphasis>-a</emphasis> adds the Samba attributes."
8282
#: serverguide/C/network-auth.xml:1726(para)
8283
msgid "To add a user to a group use <application>smbldap-groupmod</application>:"
8286
#: serverguide/C/network-auth.xml:1730(command)
13099
8287
msgid "sudo smbldap-groupmod -m username groupname"
13102
#: serverguide/C/network-auth.xml:1602(para)
13104
"Be sure to replace <emphasis>username</emphasis> with a real user. Also, the "
13105
"<emphasis>-m</emphasis> option can add more than one user at a time by "
13106
"listing them in <emphasis>comma separated</emphasis> format."
13109
#: serverguide/C/network-auth.xml:1608(para)
13111
"<application>smbldap-groupmod</application> can also be used to remove a "
13112
"user from a group:"
13115
#: serverguide/C/network-auth.xml:1612(command)
8290
#: serverguide/C/network-auth.xml:1732(para)
8291
msgid "Be sure to replace <emphasis>username</emphasis> with a real user. Also, the <emphasis>-m</emphasis> option can add more than one user at a time by listing them in <emphasis>comma separated</emphasis> format."
8294
#: serverguide/C/network-auth.xml:1738(para)
8295
msgid "<application>smbldap-groupmod</application> can also be used to remove a user from a group:"
8298
#: serverguide/C/network-auth.xml:1742(command)
13116
8299
msgid "sudo smbldap-groupmod -x username groupname"
13119
#: serverguide/C/network-auth.xml:1616(para)
13121
"Additionally, the <application>smbldap-useradd</application> utility can add "
13122
"Samba machine accounts:"
8302
#: serverguide/C/network-auth.xml:1746(para)
8303
msgid "Additionally, the <application>smbldap-useradd</application> utility can add Samba machine accounts:"
13125
#: serverguide/C/network-auth.xml:1620(command)
8306
#: serverguide/C/network-auth.xml:1750(command)
13126
8307
msgid "sudo smbldap-useradd -t 0 -w username"
13129
#: serverguide/C/network-auth.xml:1622(para)
13131
"Replace <emphasis>username</emphasis> with the name of the workstation. The "
13132
"<emphasis>-t 0</emphasis> option creates the machine account without a "
13133
"delay, while the <emphasis>-w</emphasis> option specifies the user as a "
13134
"machine account. Also, note the <emphasis>add machine script</emphasis> "
13135
"option in <filename>/etc/samba/smb.conf</filename> was changed to use "
13136
"<application>smbldap-useradd</application>."
13139
#: serverguide/C/network-auth.xml:1631(para)
13141
"There are more useful utilities and options in the <application>smbldap-"
13142
"tools</application> package. The man page for each utility provides more "
13146
#: serverguide/C/network-auth.xml:1642(para)
13148
"There are multiple places where LDAP and Samba is documented in the <ulink "
13149
"url=\"http://samba.org/samba/docs/man/Samba-HOWTO-Collection/\">Samba HOWTO "
13150
"Collection</ulink>."
13153
#: serverguide/C/network-auth.xml:1648(para)
13155
"Specifically see the <ulink url=\"http://samba.org/samba/docs/man/Samba-"
13156
"HOWTO-Collection/passdb.html\">passdb section</ulink>."
13159
#: serverguide/C/network-auth.xml:1654(para)
13161
"Another good site is <ulink url=\"http://www.iallanis.info/smbldap-"
13162
"tools/docs/samba-ldap-howto/\">Samba OpenLDAP HOWTO</ulink>."
13165
#: serverguide/C/network-auth.xml:1660(para)
13167
"Again, for more information on <application>smbldap-tools</application> see "
13168
"the man pages: <command>man smbldap-useradd</command>, <command>man smbldap-"
13169
"groupadd</command>, <command>man smbldap-populate</command>, etc."
13172
#: serverguide/C/network-auth.xml:1670(title)
8310
#: serverguide/C/network-auth.xml:1752(para)
8311
msgid "Replace <emphasis>username</emphasis> with the name of the workstation. The <emphasis>-t 0</emphasis> option creates the machine account without a delay, while the <emphasis>-w</emphasis> option specifies the user as a machine account. Also, note the <emphasis>add machine script</emphasis> option in <filename>/etc/samba/smb.conf</filename> was changed to use <application>smbldap-useradd</application>."
8314
#: serverguide/C/network-auth.xml:1761(para)
8315
msgid "There are more useful utilities and options in the <application>smbldap-tools</application> package. The man page for each utility provides more details."
8318
#: serverguide/C/network-auth.xml:1772(para)
8319
msgid "There are multiple places where LDAP and Samba is documented in the <ulink url=\"http://samba.org/samba/docs/man/Samba-HOWTO-Collection/\">Samba HOWTO Collection</ulink>."
8322
#: serverguide/C/network-auth.xml:1778(para)
8323
msgid "Specifically see the <ulink url=\"http://samba.org/samba/docs/man/Samba-HOWTO-Collection/passdb.html\">passdb section</ulink>."
8326
#: serverguide/C/network-auth.xml:1784(para)
8327
msgid "Another good site is <ulink url=\"http://www.iallanis.info/smbldap-tools/docs/samba-ldap-howto/\">Samba OpenLDAP HOWTO</ulink>."
8330
#: serverguide/C/network-auth.xml:1790(para)
8331
msgid "Again, for more information on <application>smbldap-tools</application> see the man pages: <command>man smbldap-useradd</command>, <command>man smbldap-groupadd</command>, <command>man smbldap-populate</command>, etc."
8334
#: serverguide/C/network-auth.xml:1800(title)
13173
8335
msgid "Kerberos"
13176
#: serverguide/C/network-auth.xml:1672(para)
13178
"<application>Kerberos</application> is a network authentication system based "
13179
"on the principal of a trusted third party. The other two parties being the "
13180
"user and the service the user wishes to authenticate to. Not all services "
13181
"and applications can use Kerberos, but for those that can, it brings the "
13182
"network environment one step closer to being Single Sign On (SSO)."
13185
#: serverguide/C/network-auth.xml:1678(para)
13187
"This section covers installation and configuration of a Kerberos server, and "
13188
"some example client configurations."
13191
#: serverguide/C/network-auth.xml:1685(para)
13193
"If you are new to Kerberos there are a few terms that are good to understand "
13194
"before setting up a Kerberos server. Most of the terms will relate to things "
13195
"you may be familiar with in other environments:"
13198
#: serverguide/C/network-auth.xml:1692(para)
13200
"<emphasis>Principal:</emphasis> any users, computers, and services provided "
13201
"by servers need to be defined as Kerberos Principals."
13204
#: serverguide/C/network-auth.xml:1697(para)
13206
"<emphasis>Instances:</emphasis> are used for service principals and special "
13207
"administrative principals."
13210
#: serverguide/C/network-auth.xml:1702(para)
13212
"<emphasis>Realms:</emphasis> the unique realm of control provided by the "
13213
"Kerberos installation. Usually the DNS domain converted to uppercase "
13217
#: serverguide/C/network-auth.xml:1708(para)
13219
"<emphasis>Key Distribution Center:</emphasis> (KDC) consist of three parts, "
13220
"a database of all principals, the authentication server, and the ticket "
13221
"granting server. For each realm there must be at least one KDC."
13224
#: serverguide/C/network-auth.xml:1714(para)
13226
"<emphasis>Ticket Granting Ticket:</emphasis> issued by the Authentication "
13227
"Server (AS), the Ticket Granting Ticket (TGT) is encrypted in the user's "
13228
"password which is known only to the user and the KDC."
13231
#: serverguide/C/network-auth.xml:1720(para)
13233
"<emphasis>Ticket Granting Server:</emphasis> (TGS) issues service tickets to "
13234
"clients upon request."
13237
#: serverguide/C/network-auth.xml:1725(para)
13239
"<emphasis>Tickets:</emphasis> confirm the identity of the two principals. "
13240
"One principal being a user and the other a service requested by the user. "
13241
"Tickets establish an encryption key used for secure communication during the "
13242
"authenticated session."
13245
#: serverguide/C/network-auth.xml:1731(para)
13247
"<emphasis>Keytab Files:</emphasis> are files extracted from the KDC "
13248
"principal database and contain the encryption key for a service or host."
13251
#: serverguide/C/network-auth.xml:1738(para)
13253
"To put the pieces together, a Realm has at least one KDC, preferably two for "
13254
"redundancy, which contains a database of Principals. When a user principal "
13255
"logs into a workstation, configured for Kerberos authentication, the KDC "
13256
"issues a Ticket Granting Ticket (TGT). If the user supplied credentials "
13257
"match, the user is authenticated and can then request tickets for Kerberized "
13258
"services from the Ticket Granting Server (TGS). The service tickets allow "
13259
"the user to authenticate to the service without entering another username "
13263
#: serverguide/C/network-auth.xml:1747(title)
8338
#: serverguide/C/network-auth.xml:1802(para)
8339
msgid "<application>Kerberos</application> is a network authentication system based on the principal of a trusted third party. The other two parties being the user and the service the user wishes to authenticate to. Not all services and applications can use Kerberos, but for those that can, it brings the network environment one step closer to being Single Sign On (SSO)."
8342
#: serverguide/C/network-auth.xml:1808(para)
8343
msgid "This section covers installation and configuration of a Kerberos server, and some example client configurations."
8346
#: serverguide/C/network-auth.xml:1815(para)
8347
msgid "If you are new to Kerberos there are a few terms that are good to understand before setting up a Kerberos server. Most of the terms will relate to things you may be familiar with in other environments:"
8350
#: serverguide/C/network-auth.xml:1822(para)
8351
msgid "<emphasis>Principal:</emphasis> any users, computers, and services provided by servers need to be defined as Kerberos Principals."
8354
#: serverguide/C/network-auth.xml:1827(para)
8355
msgid "<emphasis>Instances:</emphasis> are used for service principals and special administrative principals."
8358
#: serverguide/C/network-auth.xml:1832(para)
8359
msgid "<emphasis>Realms:</emphasis> the unique realm of control provided by the Kerberos installation. Usually the DNS domain converted to uppercase (EXAMPLE.COM)."
8362
#: serverguide/C/network-auth.xml:1838(para)
8363
msgid "<emphasis>Key Distribution Center:</emphasis> (KDC) consist of three parts, a database of all principals, the authentication server, and the ticket granting server. For each realm there must be at least one KDC."
8366
#: serverguide/C/network-auth.xml:1844(para)
8367
msgid "<emphasis>Ticket Granting Ticket:</emphasis> issued by the Authentication Server (AS), the Ticket Granting Ticket (TGT) is encrypted in the user's password which is known only to the user and the KDC."
8370
#: serverguide/C/network-auth.xml:1850(para)
8371
msgid "<emphasis>Ticket Granting Server:</emphasis> (TGS) issues service tickets to clients upon request."
8374
#: serverguide/C/network-auth.xml:1855(para)
8375
msgid "<emphasis>Tickets:</emphasis> confirm the identity of the two principals. One principal being a user and the other a service requested by the user. Tickets establish an encryption key used for secure communication during the authenticated session."
8378
#: serverguide/C/network-auth.xml:1861(para)
8379
msgid "<emphasis>Keytab Files:</emphasis> are files extracted from the KDC principal database and contain the encryption key for a service or host."
8382
#: serverguide/C/network-auth.xml:1868(para)
8383
msgid "To put the pieces together, a Realm has at least one KDC, preferably two for redundancy, which contains a database of Principals. When a user principal logs into a workstation, configured for Kerberos authentication, the KDC issues a Ticket Granting Ticket (TGT). If the user supplied credentials match, the user is authenticated and can then request tickets for Kerberized services from the Ticket Granting Server (TGS). The service tickets allow the user to authenticate to the service without entering another username and password."
8386
#: serverguide/C/network-auth.xml:1877(title)
13264
8387
msgid "Kerberos Server"
13267
#: serverguide/C/network-auth.xml:1751(para)
13269
"Before installing the Kerberos server a properly configured DNS server is "
13270
"needed for your domain. Since the Kerberos Realm by convention matches the "
13271
"domain name, this section uses the <emphasis>example.com</emphasis> domain "
13272
"configured in <xref linkend=\"dns-primarymaster-configuration\"/>."
13275
#: serverguide/C/network-auth.xml:1757(para)
13277
"Also, Kerberos is a time sensitive protocol. So if the local system time "
13278
"between a client machine and the server differs by more than five minutes "
13279
"(by default), the workstation will not be able to authenticate. To correct "
13280
"the problem all hosts should have their time synchronized using the "
13281
"<emphasis>Network Time Protocol (NTP)</emphasis>. For details on setting up "
13282
"NTP see <xref linkend=\"NTP\"/>."
13285
#: serverguide/C/network-auth.xml:1764(para)
13287
"The first step in installing a Kerberos Realm is to install the "
13288
"<application>krb5-kdc</application> and <application>krb5-admin-"
13289
"server</application> packages. From a terminal enter:"
13292
#: serverguide/C/network-auth.xml:1770(command) serverguide/C/network-auth.xml:1945(command)
8390
#: serverguide/C/network-auth.xml:1881(para)
8391
msgid "Before installing the Kerberos server a properly configured DNS server is needed for your domain. Since the Kerberos Realm by convention matches the domain name, this section uses the <emphasis>example.com</emphasis> domain configured in <xref linkend=\"dns-primarymaster-configuration\"/>."
8394
#: serverguide/C/network-auth.xml:1887(para)
8395
msgid "Also, Kerberos is a time sensitive protocol. So if the local system time between a client machine and the server differs by more than five minutes (by default), the workstation will not be able to authenticate. To correct the problem all hosts should have their time synchronized using the <emphasis>Network Time Protocol (NTP)</emphasis>. For details on setting up NTP see <xref linkend=\"NTP\"/>."
8398
#: serverguide/C/network-auth.xml:1894(para)
8399
msgid "The first step in installing a Kerberos Realm is to install the <application>krb5-kdc</application> and <application>krb5-admin-server</application> packages. From a terminal enter:"
8402
#: serverguide/C/network-auth.xml:1900(command) serverguide/C/network-auth.xml:2075(command)
13293
8403
msgid "sudo apt-get install krb5-kdc krb5-admin-server"
13296
#: serverguide/C/network-auth.xml:1773(para)
13298
"You will be asked at the end of the install to supply a name for the "
13299
"Kerberos and Admin servers, which may or may not be the same server, for the "
13303
#: serverguide/C/network-auth.xml:1778(para)
13305
"Next, create the new realm with the <application>kdb5_newrealm</application> "
13309
#: serverguide/C/network-auth.xml:1783(command)
8406
#: serverguide/C/network-auth.xml:1903(para)
8407
msgid "You will be asked at the end of the install to supply a name for the Kerberos and Admin servers, which may or may not be the same server, for the realm."
8410
#: serverguide/C/network-auth.xml:1908(para)
8411
msgid "Next, create the new realm with the <application>kdb5_newrealm</application> utility:"
8414
#: serverguide/C/network-auth.xml:1913(command)
13310
8415
msgid "sudo krb5_newrealm"
13313
#: serverguide/C/network-auth.xml:1790(para)
13315
"The questions asked during installation are used to configure the "
13316
"<filename>/etc/krb5.conf</filename> file. If you need to adjust the Key "
13317
"Distribution Center (KDC) settings simply edit the file and restart the "
13318
"<application>krb5-kdc</application> daemon."
13321
#: serverguide/C/network-auth.xml:1798(para)
13323
"Now that the KDC running an admin user is needed. It is recommended to use a "
13324
"different username from your everyday username. Using the "
13325
"<application>kadmin.local</application> utility in a terminal prompt enter:"
13328
#: serverguide/C/network-auth.xml:1804(command) serverguide/C/network-auth.xml:2595(command)
8418
#: serverguide/C/network-auth.xml:1920(para)
8419
msgid "The questions asked during installation are used to configure the <filename>/etc/krb5.conf</filename> file. If you need to adjust the Key Distribution Center (KDC) settings simply edit the file and restart the <application>krb5-kdc</application> daemon."
8422
#: serverguide/C/network-auth.xml:1928(para)
8423
msgid "Now that the KDC running an admin user is needed. It is recommended to use a different username from your everyday username. Using the <application>kadmin.local</application> utility in a terminal prompt enter:"
8426
#: serverguide/C/network-auth.xml:1934(command) serverguide/C/network-auth.xml:2725(command)
13329
8427
msgid "sudo kadmin.local"
13332
#: serverguide/C/network-auth.xml:1805(computeroutput)
8430
#: serverguide/C/network-auth.xml:1935(computeroutput)
13335
"Authenticating as principal root/admin@EXAMPLE.COM with password.\n"
8432
msgid "Authenticating as principal root/admin@EXAMPLE.COM with password.\nkadmin.local:"
13339
#: serverguide/C/network-auth.xml:1806(userinput)
8435
#: serverguide/C/network-auth.xml:1936(userinput)
13341
8437
msgid " addprinc steve/admin"
13344
#: serverguide/C/network-auth.xml:1807(computeroutput)
8440
#: serverguide/C/network-auth.xml:1937(computeroutput)
13347
"WARNING: no policy specified for steve/admin@EXAMPLE.COM; defaulting to no "
13349
"Enter password for principal \"steve/admin@EXAMPLE.COM\": \n"
13350
"Re-enter password for principal \"steve/admin@EXAMPLE.COM\": \n"
13351
"Principal \"steve/admin@EXAMPLE.COM\" created.\n"
8442
msgid "WARNING: no policy specified for steve/admin@EXAMPLE.COM; defaulting to no policy\nEnter password for principal \"steve/admin@EXAMPLE.COM\": \nRe-enter password for principal \"steve/admin@EXAMPLE.COM\": \nPrincipal \"steve/admin@EXAMPLE.COM\" created.\nkadmin.local:"
13355
#: serverguide/C/network-auth.xml:1811(userinput)
8445
#: serverguide/C/network-auth.xml:1941(userinput)
13360
#: serverguide/C/network-auth.xml:1814(para)
13362
"In the above example <emphasis role=\"italic\">steve</emphasis> is the "
13363
"<emphasis>Principal</emphasis>, <emphasis role=\"italic\">/admin</emphasis> "
13364
"is an <emphasis>Instance</emphasis>, and <emphasis "
13365
"role=\"italic\">@EXAMPLE.COM</emphasis> signifies the realm. The <emphasis "
13366
"role=\"italic\">\"every day\"</emphasis> Principal would be "
13367
"<emphasis>steve@EXAMPLE.COM</emphasis>, and should have only normal user "
13371
#: serverguide/C/network-auth.xml:1822(para)
13373
"Replace <emphasis>EXAMPLE.COM</emphasis> and <emphasis>steve</emphasis> with "
13374
"your Realm and admin username."
13377
#: serverguide/C/network-auth.xml:1830(para)
13379
"Next, the new admin user needs to have the appropriate Access Control List "
13380
"(ACL) permissions. The permissions are configured in the "
13381
"<filename>/etc/krb5kdc/kadm5.acl</filename> file:"
13384
#: serverguide/C/network-auth.xml:1835(programlisting)
8450
#: serverguide/C/network-auth.xml:1944(para)
8451
msgid "In the above example <emphasis role=\"italic\">steve</emphasis> is the <emphasis>Principal</emphasis>, <emphasis role=\"italic\">/admin</emphasis> is an <emphasis>Instance</emphasis>, and <emphasis role=\"italic\">@EXAMPLE.COM</emphasis> signifies the realm. The <emphasis role=\"italic\">\"every day\"</emphasis> Principal would be <emphasis>steve@EXAMPLE.COM</emphasis>, and should have only normal user rights."
8454
#: serverguide/C/network-auth.xml:1952(para)
8455
msgid "Replace <emphasis>EXAMPLE.COM</emphasis> and <emphasis>steve</emphasis> with your Realm and admin username."
8458
#: serverguide/C/network-auth.xml:1960(para)
8459
msgid "Next, the new admin user needs to have the appropriate Access Control List (ACL) permissions. The permissions are configured in the <filename>/etc/krb5kdc/kadm5.acl</filename> file:"
8462
#: serverguide/C/network-auth.xml:1965(programlisting)
13388
"steve/admin@EXAMPLE.COM *\n"
13391
#: serverguide/C/network-auth.xml:1839(para)
13393
"This entry grants <emphasis>steve/admin</emphasis> the ability to perform "
13394
"any operation on all principals in the realm."
13397
#: serverguide/C/network-auth.xml:1846(para)
13399
"Now restart the <application>krb5-admin-server</application> for the new ACL "
13403
#: serverguide/C/network-auth.xml:1851(command)
8464
msgid "\nsteve/admin@EXAMPLE.COM *\n"
8467
#: serverguide/C/network-auth.xml:1969(para)
8468
msgid "This entry grants <emphasis>steve/admin</emphasis> the ability to perform any operation on all principals in the realm."
8471
#: serverguide/C/network-auth.xml:1976(para)
8472
msgid "Now restart the <application>krb5-admin-server</application> for the new ACL to take affect:"
8475
#: serverguide/C/network-auth.xml:1981(command)
13404
8476
msgid "sudo /etc/init.d/krb5-admin-server restart"
13407
#: serverguide/C/network-auth.xml:1857(para)
13409
"The new user principal can be tested using the <application>kinit "
13410
"utility</application>:"
8479
#: serverguide/C/network-auth.xml:1987(para)
8480
msgid "The new user principal can be tested using the <application>kinit utility</application>:"
13413
#: serverguide/C/network-auth.xml:1862(command)
8483
#: serverguide/C/network-auth.xml:1992(command)
13414
8484
msgid "kinit steve/admin"
13417
#: serverguide/C/network-auth.xml:1863(computeroutput)
8487
#: serverguide/C/network-auth.xml:1993(computeroutput)
13419
8489
msgid "steve/admin@EXAMPLE.COM's Password:"
13422
#: serverguide/C/network-auth.xml:1866(para)
13424
"After entering the password, use the <application>klist</application> "
13425
"utility to view information about the Ticket Granting Ticket (TGT):"
8492
#: serverguide/C/network-auth.xml:1996(para)
8493
msgid "After entering the password, use the <application>klist</application> utility to view information about the Ticket Granting Ticket (TGT):"
13428
#: serverguide/C/network-auth.xml:1872(command) serverguide/C/network-auth.xml:2207(command)
8496
#: serverguide/C/network-auth.xml:2002(command) serverguide/C/network-auth.xml:2337(command)
13432
#: serverguide/C/network-auth.xml:1873(computeroutput)
13435
"Credentials cache: FILE:/tmp/krb5cc_1000\n"
13436
" Principal: steve/admin@EXAMPLE.COM\n"
13438
" Issued Expires Principal\n"
13439
"Jul 13 17:53:34 Jul 14 03:53:34 krbtgt/EXAMPLE.COM@EXAMPLE.COM"
13442
#: serverguide/C/network-auth.xml:1880(para)
13444
"You may need to add an entry into the <filename>/etc/hosts</filename> for "
13445
"the KDC. For example:"
13448
#: serverguide/C/network-auth.xml:1884(programlisting)
13452
"192.168.0.1 kdc01.example.com kdc01\n"
13455
#: serverguide/C/network-auth.xml:1888(para)
13457
"Replacing <emphasis>192.168.0.1</emphasis> with the IP address of your KDC."
13460
#: serverguide/C/network-auth.xml:1895(para)
13462
"In order for clients to determine the KDC for the Realm some DNS SRV records "
13463
"are needed. Add the following to "
13464
"<filename>/etc/named/db.example.com</filename>:"
13467
#: serverguide/C/network-auth.xml:1900(programlisting)
13471
"_kerberos._udp.EXAMPLE.COM. IN SRV 1 0 88 kdc01.example.com.\n"
13472
"_kerberos._tcp.EXAMPLE.COM. IN SRV 1 0 88 kdc01.example.com.\n"
13473
"_kerberos._udp.EXAMPLE.COM. IN SRV 10 0 88 kdc02.example.com. \n"
13474
"_kerberos._tcp.EXAMPLE.COM. IN SRV 10 0 88 kdc02.example.com. \n"
13475
"_kerberos-adm._tcp.EXAMPLE.COM. IN SRV 1 0 749 kdc01.example.com.\n"
13476
"_kpasswd._udp.EXAMPLE.COM. IN SRV 1 0 464 kdc01.example.com.\n"
13479
#: serverguide/C/network-auth.xml:1910(para)
13481
"Replace <emphasis>EXAMPLE.COM</emphasis>, <emphasis>kdc01</emphasis>, and "
13482
"<emphasis>kdc02</emphasis> with your domain name, primary KDC, and secondary "
13486
#: serverguide/C/network-auth.xml:1916(para)
13488
"See <xref linkend=\"dns\"/> for detailed instructions on setting up DNS."
13491
#: serverguide/C/network-auth.xml:1923(para)
8500
#: serverguide/C/network-auth.xml:2003(computeroutput)
8502
msgid "Credentials cache: FILE:/tmp/krb5cc_1000\n Principal: steve/admin@EXAMPLE.COM\n\n Issued Expires Principal\nJul 13 17:53:34 Jul 14 03:53:34 krbtgt/EXAMPLE.COM@EXAMPLE.COM"
8505
#: serverguide/C/network-auth.xml:2010(para)
8506
msgid "You may need to add an entry into the <filename>/etc/hosts</filename> for the KDC. For example:"
8509
#: serverguide/C/network-auth.xml:2014(programlisting)
8511
msgid "\n192.168.0.1 kdc01.example.com kdc01\n"
8514
#: serverguide/C/network-auth.xml:2018(para)
8515
msgid "Replacing <emphasis>192.168.0.1</emphasis> with the IP address of your KDC."
8518
#: serverguide/C/network-auth.xml:2025(para)
8519
msgid "In order for clients to determine the KDC for the Realm some DNS SRV records are needed. Add the following to <filename>/etc/named/db.example.com</filename>:"
8522
#: serverguide/C/network-auth.xml:2030(programlisting)
8524
msgid "\n_kerberos._udp.EXAMPLE.COM. IN SRV 1 0 88 kdc01.example.com.\n_kerberos._tcp.EXAMPLE.COM. IN SRV 1 0 88 kdc01.example.com.\n_kerberos._udp.EXAMPLE.COM. IN SRV 10 0 88 kdc02.example.com. \n_kerberos._tcp.EXAMPLE.COM. IN SRV 10 0 88 kdc02.example.com. \n_kerberos-adm._tcp.EXAMPLE.COM. IN SRV 1 0 749 kdc01.example.com.\n_kpasswd._udp.EXAMPLE.COM. IN SRV 1 0 464 kdc01.example.com.\n"
8527
#: serverguide/C/network-auth.xml:2040(para)
8528
msgid "Replace <emphasis>EXAMPLE.COM</emphasis>, <emphasis>kdc01</emphasis>, and <emphasis>kdc02</emphasis> with your domain name, primary KDC, and secondary KDC."
8531
#: serverguide/C/network-auth.xml:2046(para)
8532
msgid "See <xref linkend=\"dns\"/> for detailed instructions on setting up DNS."
8535
#: serverguide/C/network-auth.xml:2053(para)
13492
8536
msgid "Your new Kerberos Realm is now ready to authenticate clients."
13495
#: serverguide/C/network-auth.xml:1930(title)
8539
#: serverguide/C/network-auth.xml:2060(title)
13496
8540
msgid "Secondary KDC"
13499
#: serverguide/C/network-auth.xml:1932(para)
13501
"Once you have one Key Distribution Center (KDC) on your network, it is good "
13502
"practice to have a Secondary KDC in case the primary becomes unavailable."
13505
#: serverguide/C/network-auth.xml:1940(para)
13507
"First, install the packages, and when asked for the Kerberos and Admin "
13508
"server names enter the name of the Primary KDC:"
13511
#: serverguide/C/network-auth.xml:1951(para)
13513
"Once you have the packages installed, create the Secondary KDC's host "
13514
"principal. From a terminal prompt, enter:"
13517
#: serverguide/C/network-auth.xml:1956(command)
8543
#: serverguide/C/network-auth.xml:2062(para)
8544
msgid "Once you have one Key Distribution Center (KDC) on your network, it is good practice to have a Secondary KDC in case the primary becomes unavailable."
8547
#: serverguide/C/network-auth.xml:2070(para)
8548
msgid "First, install the packages, and when asked for the Kerberos and Admin server names enter the name of the Primary KDC:"
8551
#: serverguide/C/network-auth.xml:2081(para)
8552
msgid "Once you have the packages installed, create the Secondary KDC's host principal. From a terminal prompt, enter:"
8555
#: serverguide/C/network-auth.xml:2086(command)
13518
8556
msgid "kadmin -q \"addprinc -randkey host/kdc02.example.com\""
13521
#: serverguide/C/network-auth.xml:1960(para)
13523
"After, issuing any <application>kadmin</application> commands you will be "
13524
"prompted for your <emphasis>username/admin@EXAMPLE.COM</emphasis> principal "
8559
#: serverguide/C/network-auth.xml:2090(para)
8560
msgid "After, issuing any <application>kadmin</application> commands you will be prompted for your <emphasis>username/admin@EXAMPLE.COM</emphasis> principal password."
13528
#: serverguide/C/network-auth.xml:1969(para)
8563
#: serverguide/C/network-auth.xml:2099(para)
13529
8564
msgid "Extract the <emphasis>keytab</emphasis> file:"
13532
#: serverguide/C/network-auth.xml:1974(command)
8567
#: serverguide/C/network-auth.xml:2104(command)
13533
8568
msgid "kadmin -q \"ktadd -k keytab.kdc02 host/kdc02.example.com\""
13536
#: serverguide/C/network-auth.xml:1980(para)
13538
"There should now be a <filename>keytab.kdc02</filename> in the current "
13539
"directory, move the file to <filename>/etc/krb5.keytab</filename>:"
8571
#: serverguide/C/network-auth.xml:2110(para)
8572
msgid "There should now be a <filename>keytab.kdc02</filename> in the current directory, move the file to <filename>/etc/krb5.keytab</filename>:"
13542
#: serverguide/C/network-auth.xml:1986(command)
8575
#: serverguide/C/network-auth.xml:2116(command)
13543
8576
msgid "sudo mv keytab.kdc02 /etc/krb5.keytab"
13546
#: serverguide/C/network-auth.xml:1990(para)
13548
"If the path to the <filename>keytab.kdc02</filename> file is different "
13549
"adjust accordingly."
13552
#: serverguide/C/network-auth.xml:1995(para)
13554
"Also, you can list the principals in a Keytab file, which can be useful when "
13555
"troubleshooting, using the <application>klist</application> utility:"
13558
#: serverguide/C/network-auth.xml:2001(command)
8579
#: serverguide/C/network-auth.xml:2120(para)
8580
msgid "If the path to the <filename>keytab.kdc02</filename> file is different adjust accordingly."
8583
#: serverguide/C/network-auth.xml:2125(para)
8584
msgid "Also, you can list the principals in a Keytab file, which can be useful when troubleshooting, using the <application>klist</application> utility:"
8587
#: serverguide/C/network-auth.xml:2131(command)
13559
8588
msgid "sudo klist -k /etc/krb5.keytab"
13562
#: serverguide/C/network-auth.xml:2007(para)
13564
"Next, there needs to be a <filename>kpropd.acl</filename> file on each KDC "
13565
"that lists all KDCs for the Realm. For example, on both primary and "
13566
"secondary KDC, create <filename>/etc/krb5kdc/kpropd.acl</filename>:"
8591
#: serverguide/C/network-auth.xml:2137(para)
8592
msgid "Next, there needs to be a <filename>kpropd.acl</filename> file on each KDC that lists all KDCs for the Realm. For example, on both primary and secondary KDC, create <filename>/etc/krb5kdc/kpropd.acl</filename>:"
13569
#: serverguide/C/network-auth.xml:2012(programlisting)
8595
#: serverguide/C/network-auth.xml:2142(programlisting)
13573
"host/kdc01.example.com@EXAMPLE.COM\n"
13574
"host/kdc02.example.com@EXAMPLE.COM\n"
8597
msgid "\nhost/kdc01.example.com@EXAMPLE.COM\nhost/kdc02.example.com@EXAMPLE.COM\n"
13577
#: serverguide/C/network-auth.xml:2020(para)
8600
#: serverguide/C/network-auth.xml:2150(para)
13578
8601
msgid "Create an empty database on the <emphasis>Secondary KDC</emphasis>:"
13581
#: serverguide/C/network-auth.xml:2025(command)
8604
#: serverguide/C/network-auth.xml:2155(command)
13582
8605
msgid "sudo kdb5_util -s create"
13585
#: serverguide/C/network-auth.xml:2031(para)
13587
"Now start the <application>kpropd</application> daemon, which listens for "
13588
"connections from the <application>kprop</application> utility. "
13589
"<application>kprop</application> is used to transfer dump files:"
8608
#: serverguide/C/network-auth.xml:2161(para)
8609
msgid "Now start the <application>kpropd</application> daemon, which listens for connections from the <application>kprop</application> utility. <application>kprop</application> is used to transfer dump files:"
13592
#: serverguide/C/network-auth.xml:2038(command)
8612
#: serverguide/C/network-auth.xml:2168(command)
13593
8613
msgid "sudo kpropd -S"
13596
#: serverguide/C/network-auth.xml:2044(para)
13598
"From a terminal on the <emphasis>Primary KDC</emphasis>, create a dump file "
13599
"of the principal database:"
8616
#: serverguide/C/network-auth.xml:2174(para)
8617
msgid "From a terminal on the <emphasis>Primary KDC</emphasis>, create a dump file of the principal database:"
13602
#: serverguide/C/network-auth.xml:2049(command)
8620
#: serverguide/C/network-auth.xml:2179(command)
13603
8621
msgid "sudo kdb5_util dump /var/lib/krb5kdc/dump"
13606
#: serverguide/C/network-auth.xml:2055(para)
13608
"Extract the Primary KDC's <emphasis>keytab</emphasis> file and copy it to "
13609
"<filename>/etc/krb5.keytab</filename>:"
8624
#: serverguide/C/network-auth.xml:2185(para)
8625
msgid "Extract the Primary KDC's <emphasis>keytab</emphasis> file and copy it to <filename>/etc/krb5.keytab</filename>:"
13612
#: serverguide/C/network-auth.xml:2060(command)
8628
#: serverguide/C/network-auth.xml:2190(command)
13613
8629
msgid "kadmin -q \"ktadd -k keytab.kdc01 host/kdc01.example.com\""
13616
#: serverguide/C/network-auth.xml:2061(command)
8632
#: serverguide/C/network-auth.xml:2191(command)
13617
8633
msgid "sudo mv keytab.kdc01 /etc/kr5b.keytab"
13620
#: serverguide/C/network-auth.xml:2065(para)
13622
"Make sure there is a <emphasis>host</emphasis> for "
13623
"<emphasis>kdc01.example.com</emphasis> before extracting the Keytab."
13626
#: serverguide/C/network-auth.xml:2073(para)
13628
"Using the <application>kprop</application> utility push the database to the "
13632
#: serverguide/C/network-auth.xml:2078(command)
8636
#: serverguide/C/network-auth.xml:2195(para)
8637
msgid "Make sure there is a <emphasis>host</emphasis> for <emphasis>kdc01.example.com</emphasis> before extracting the Keytab."
8640
#: serverguide/C/network-auth.xml:2203(para)
8641
msgid "Using the <application>kprop</application> utility push the database to the Secondary KDC:"
8644
#: serverguide/C/network-auth.xml:2208(command)
13633
8645
msgid "sudo kprop -r EXAMPLE.COM -f /var/lib/krb5kdc/dump kdc02.example.com"
13636
#: serverguide/C/network-auth.xml:2082(para)
13638
"There should be a <emphasis>SUCCEEDED</emphasis> message if the propagation "
13639
"worked. If there is an error message check "
13640
"<filename>/var/log/syslog</filename> on the secondary KDC for more "
13644
#: serverguide/C/network-auth.xml:2088(para)
13646
"You may also want to create a <application>cron</application> job to "
13647
"periodically update the database on the Secondary KDC. For example, the "
13648
"following will push the database every hour:"
13651
#: serverguide/C/network-auth.xml:2093(programlisting)
8648
#: serverguide/C/network-auth.xml:2212(para)
8649
msgid "There should be a <emphasis>SUCCEEDED</emphasis> message if the propagation worked. If there is an error message check <filename>/var/log/syslog</filename> on the secondary KDC for more information."
8652
#: serverguide/C/network-auth.xml:2218(para)
8653
msgid "You may also want to create a <application>cron</application> job to periodically update the database on the Secondary KDC. For example, the following will push the database every hour:"
8656
#: serverguide/C/network-auth.xml:2223(programlisting)
13655
"# m h dom mon dow command\n"
13656
"0 * * * * /usr/sbin/kdb5_util dump /var/lib/krb5kdc/dump && "
13657
"/usr/sbin/kprop -r EXAMPLE.COM -f /var/lib/krb5kdc/dump kdc02.example.com\n"
13660
#: serverguide/C/network-auth.xml:2101(para)
13662
"Back on the <emphasis>Secondary KDC</emphasis>, create a "
13663
"<emphasis>stash</emphasis> file to hold the Kerberos master key:"
13666
#: serverguide/C/network-auth.xml:2107(command)
8658
msgid "\n# m h dom mon dow command\n0 * * * * /usr/sbin/kdb5_util dump /var/lib/krb5kdc/dump && /usr/sbin/kprop -r EXAMPLE.COM -f /var/lib/krb5kdc/dump kdc02.example.com\n"
8661
#: serverguide/C/network-auth.xml:2231(para)
8662
msgid "Back on the <emphasis>Secondary KDC</emphasis>, create a <emphasis>stash</emphasis> file to hold the Kerberos master key:"
8665
#: serverguide/C/network-auth.xml:2237(command)
13667
8666
msgid "sudo kdb5_util stash"
13670
#: serverguide/C/network-auth.xml:2113(para)
13672
"Finally, start the <application>krb5-kdc</application> daemon on the "
8669
#: serverguide/C/network-auth.xml:2243(para)
8670
msgid "Finally, start the <application>krb5-kdc</application> daemon on the Secondary KDC:"
13676
#: serverguide/C/network-auth.xml:2118(command) serverguide/C/network-auth.xml:2725(command)
8673
#: serverguide/C/network-auth.xml:2248(command) serverguide/C/network-auth.xml:2855(command)
13677
8674
msgid "sudo /etc/init.d/krb5-kdc start"
13680
#: serverguide/C/network-auth.xml:2124(para)
13682
"The <emphasis>Secondary KDC</emphasis> should now be able to issue tickets "
13683
"for the Realm. You can test this by stopping the <application>krb5-"
13684
"kdc</application> daemon on the Primary KDC, then use "
13685
"<application>kinit</application> to request a ticket. If all goes well you "
13686
"should receive a ticket from the Secondary KDC."
8677
#: serverguide/C/network-auth.xml:2254(para)
8678
msgid "The <emphasis>Secondary KDC</emphasis> should now be able to issue tickets for the Realm. You can test this by stopping the <application>krb5-kdc</application> daemon on the Primary KDC, then use <application>kinit</application> to request a ticket. If all goes well you should receive a ticket from the Secondary KDC."
13689
#: serverguide/C/network-auth.xml:2132(title)
8681
#: serverguide/C/network-auth.xml:2262(title)
13690
8682
msgid "Kerberos Linux Client"
13693
#: serverguide/C/network-auth.xml:2134(para)
13695
"This section covers configuring a Linux system as a "
13696
"<application>Kerberos</application> client. This will allow access to any "
13697
"kerberized services once a user has successfully logged into the system."
13700
#: serverguide/C/network-auth.xml:2142(para)
13702
"In order to authenticate to a Kerberos Realm, the <application>krb5-"
13703
"user</application> and <application>libpam-krb5</application> packages are "
13704
"needed, along with a few others that are not strictly necessary but make "
13705
"life easier. To install the packages enter the following in a terminal "
13709
#: serverguide/C/network-auth.xml:2149(command)
13711
"sudo apt-get install krb5-user libpam-krb5 libpam-ccreds auth-client-config"
13714
#: serverguide/C/network-auth.xml:2152(para)
13716
"The <application>auth-client-config</application> package allows simple "
13717
"configuration of PAM for authentication from multiple sources, and the "
13718
"<application>libpam-ccreds</application> will cache authentication "
13719
"credentials allowing you to login in case the Key Distribution Center (KDC) "
13720
"is unavailable. This package is also useful for laptops that may "
13721
"authenticate using Kerberos while on the corporate network, but will need to "
13722
"be accessed off the network as well."
13725
#: serverguide/C/network-auth.xml:2163(para)
8685
#: serverguide/C/network-auth.xml:2264(para)
8686
msgid "This section covers configuring a Linux system as a <application>Kerberos</application> client. This will allow access to any kerberized services once a user has successfully logged into the system."
8689
#: serverguide/C/network-auth.xml:2272(para)
8690
msgid "In order to authenticate to a Kerberos Realm, the <application>krb5-user</application> and <application>libpam-krb5</application> packages are needed, along with a few others that are not strictly necessary but make life easier. To install the packages enter the following in a terminal prompt:"
8693
#: serverguide/C/network-auth.xml:2279(command)
8694
msgid "sudo apt-get install krb5-user libpam-krb5 libpam-ccreds auth-client-config"
8697
#: serverguide/C/network-auth.xml:2282(para)
8698
msgid "The <application>auth-client-config</application> package allows simple configuration of PAM for authentication from multiple sources, and the <application>libpam-ccreds</application> will cache authentication credentials allowing you to login in case the Key Distribution Center (KDC) is unavailable. This package is also useful for laptops that may authenticate using Kerberos while on the corporate network, but will need to be accessed off the network as well."
8701
#: serverguide/C/network-auth.xml:2293(para)
13726
8702
msgid "To configure the client in a terminal enter:"
13729
#: serverguide/C/network-auth.xml:2168(command)
8705
#: serverguide/C/network-auth.xml:2298(command)
13730
8706
msgid "sudo dpkg-reconfigure krb5-config"
13733
#: serverguide/C/network-auth.xml:2171(para)
13735
"You will then be prompted to enter the name of the Kerberos Realm. Also, if "
13736
"you don't have DNS configured with Kerberos <emphasis>SRV</emphasis> "
13737
"records, the menu will prompt you for the hostname of the Key Distribution "
13738
"Center (KDC) and Realm Administration server."
13741
#: serverguide/C/network-auth.xml:2177(para)
13743
"The <application>dpkg-reconfigure</application> adds entries to the "
13744
"<filename>/etc/krb5.conf</filename> file for your Realm. You should have "
13745
"entries similar to the following:"
13748
#: serverguide/C/network-auth.xml:2182(programlisting)
8709
#: serverguide/C/network-auth.xml:2301(para)
8710
msgid "You will then be prompted to enter the name of the Kerberos Realm. Also, if you don't have DNS configured with Kerberos <emphasis>SRV</emphasis> records, the menu will prompt you for the hostname of the Key Distribution Center (KDC) and Realm Administration server."
8713
#: serverguide/C/network-auth.xml:2307(para)
8714
msgid "The <application>dpkg-reconfigure</application> adds entries to the <filename>/etc/krb5.conf</filename> file for your Realm. You should have entries similar to the following:"
8717
#: serverguide/C/network-auth.xml:2312(programlisting)
13753
" default_realm = EXAMPLE.COM\n"
13756
" EXAMPLE.COM = } \n"
13757
" kdc = 192.168.0.1 \n"
13758
" admin_server = 192.168.0.1\n"
13762
#: serverguide/C/network-auth.xml:2193(para)
13764
"You can test the configuration by requesting a ticket using the "
13765
"<application>kinit</application> utility. For example:"
13768
#: serverguide/C/network-auth.xml:2198(command)
8719
msgid "\n[libdefaults]\n default_realm = EXAMPLE.COM\n...\n[realms]\n EXAMPLE.COM = } \n kdc = 192.168.0.1 \n admin_server = 192.168.0.1\n }\n"
8722
#: serverguide/C/network-auth.xml:2323(para)
8723
msgid "You can test the configuration by requesting a ticket using the <application>kinit</application> utility. For example:"
8726
#: serverguide/C/network-auth.xml:2328(command)
13769
8727
msgid "kinit steve@EXAMPLE.COM"
13772
#: serverguide/C/network-auth.xml:2199(computeroutput)
8730
#: serverguide/C/network-auth.xml:2329(computeroutput)
13774
8732
msgid "Password for steve@EXAMPLE.COM:"
13777
#: serverguide/C/network-auth.xml:2202(para)
13779
"When a ticket has been granted, the details can be viewed using "
13780
"<application>klist</application>:"
8735
#: serverguide/C/network-auth.xml:2332(para)
8736
msgid "When a ticket has been granted, the details can be viewed using <application>klist</application>:"
13783
#: serverguide/C/network-auth.xml:2208(computeroutput)
8739
#: serverguide/C/network-auth.xml:2338(computeroutput)
13786
"Ticket cache: FILE:/tmp/krb5cc_1000\n"
13787
"Default principal: steve@EXAMPLE.COM\n"
13789
"Valid starting Expires Service principal\n"
13790
"07/24/08 05:18:56 07/24/08 15:18:56 krbtgt/EXAMPLE.COM@EXAMPLE.COM\n"
13791
" renew until 07/25/08 05:18:57\n"
13794
"Kerberos 4 ticket cache: /tmp/tkt1000\n"
13795
"klist: You have no tickets cached"
13798
#: serverguide/C/network-auth.xml:2220(para)
13800
"Next, use the <application>auth-client-config</application> to configure the "
13801
"<application>libpam-krb5</application> module to request a ticket during "
13805
#: serverguide/C/network-auth.xml:2226(command)
8741
msgid "Ticket cache: FILE:/tmp/krb5cc_1000\nDefault principal: steve@EXAMPLE.COM\n\nValid starting Expires Service principal\n07/24/08 05:18:56 07/24/08 15:18:56 krbtgt/EXAMPLE.COM@EXAMPLE.COM\n renew until 07/25/08 05:18:57\n\n\nKerberos 4 ticket cache: /tmp/tkt1000\nklist: You have no tickets cached"
8744
#: serverguide/C/network-auth.xml:2350(para)
8745
msgid "Next, use the <application>auth-client-config</application> to configure the <application>libpam-krb5</application> module to request a ticket during login:"
8748
#: serverguide/C/network-auth.xml:2356(command)
13806
8749
msgid "sudo auth-client-config -a -p kerberos_example"
13809
#: serverguide/C/network-auth.xml:2229(para)
13811
"You will should now receive a ticket upon successful login authentication."
13814
#: serverguide/C/network-auth.xml:2240(para)
13816
"For more information on Kerberos see the <ulink "
13817
"url=\"http://web.mit.edu/Kerberos/\">MIT Kerberos</ulink> site."
13820
#: serverguide/C/network-auth.xml:2245(para)
13822
"O'Reilly's <ulink "
13823
"url=\"http://oreilly.com/catalog/9780596004033/\">Kerberos: The Definitive "
13824
"Guide</ulink> is a great reference when setting up Kerberos."
13827
#: serverguide/C/network-auth.xml:2251(para)
13829
"Also, feel free to stop by the <emphasis>#ubuntu-server</emphasis> IRC "
13830
"channel on <ulink url=\"http://freenode.net/\">Freenode</ulink> if you have "
13831
"Kerberos questions."
13834
#: serverguide/C/network-auth.xml:2261(title)
8752
#: serverguide/C/network-auth.xml:2359(para)
8753
msgid "You will should now receive a ticket upon successful login authentication."
8756
#: serverguide/C/network-auth.xml:2370(para)
8757
msgid "For more information on Kerberos see the <ulink url=\"http://web.mit.edu/Kerberos/\">MIT Kerberos</ulink> site."
8760
#: serverguide/C/network-auth.xml:2375(para)
8761
msgid "O'Reilly's <ulink url=\"http://oreilly.com/catalog/9780596004033/\">Kerberos: The Definitive Guide</ulink> is a great reference when setting up Kerberos."
8764
#: serverguide/C/network-auth.xml:2381(para)
8765
msgid "Also, feel free to stop by the <emphasis>#ubuntu-server</emphasis> IRC channel on <ulink url=\"http://freenode.net/\">Freenode</ulink> if you have Kerberos questions."
8768
#: serverguide/C/network-auth.xml:2391(title)
13835
8769
msgid "Kerberos and LDAP"
13838
#: serverguide/C/network-auth.xml:2263(para)
13840
"Replicating a Kerberos principal database between two servers can be "
13841
"complicated, and adds an additional user database to your network. "
13842
"Fortunately, MIT Kerberos can be configured to use an "
13843
"<application>LDAP</application> directory as a principal database. This "
13844
"section covers configuring a primary and secondary kerberos server to use "
13845
"<application>OpenLDAP</application> for the principal database."
8772
#: serverguide/C/network-auth.xml:2393(para)
8773
msgid "Replicating a Kerberos principal database between two servers can be complicated, and adds an additional user database to your network. Fortunately, MIT Kerberos can be configured to use an <application>LDAP</application> directory as a principal database. This section covers configuring a primary and secondary kerberos server to use <application>OpenLDAP</application> for the principal database."
13848
#: serverguide/C/network-auth.xml:2271(title)
8776
#: serverguide/C/network-auth.xml:2401(title)
13849
8777
msgid "Configuring OpenLDAP"
13852
#: serverguide/C/network-auth.xml:2273(para)
13854
"First, the necessary <emphasis>schema</emphasis> needs to be loaded on an "
13855
"<application>OpenLDAP</application> server that has network connectivity to "
13856
"the Primary and Secondary KDCs. The rest of this section assumes that you "
13857
"also have LDAP replication configured between at least two servers. For "
13858
"information on setting up OpenLDAP see <xref linkend=\"openldap-server\"/>."
13861
#: serverguide/C/network-auth.xml:2280(para)
13863
"It is also required to configure OpenLDAP for TLS and SSL connections, so "
13864
"that traffic between the KDC and LDAP server is encrypted. See <xref "
13865
"linkend=\"openldap-tls\"/> for details."
13868
#: serverguide/C/network-auth.xml:2287(para)
13870
"To load the schema into LDAP, on the LDAP server install the "
13871
"<application>krb5-kdc-ldap</application> package. From a terminal enter:"
13874
#: serverguide/C/network-auth.xml:2293(command)
8780
#: serverguide/C/network-auth.xml:2403(para)
8781
msgid "First, the necessary <emphasis>schema</emphasis> needs to be loaded on an <application>OpenLDAP</application> server that has network connectivity to the Primary and Secondary KDCs. The rest of this section assumes that you also have LDAP replication configured between at least two servers. For information on setting up OpenLDAP see <xref linkend=\"openldap-server\"/>."
8784
#: serverguide/C/network-auth.xml:2410(para)
8785
msgid "It is also required to configure OpenLDAP for TLS and SSL connections, so that traffic between the KDC and LDAP server is encrypted. See <xref linkend=\"openldap-tls\"/> for details."
8788
#: serverguide/C/network-auth.xml:2417(para)
8789
msgid "To load the schema into LDAP, on the LDAP server install the <application>krb5-kdc-ldap</application> package. From a terminal enter:"
8792
#: serverguide/C/network-auth.xml:2423(command)
13875
8793
msgid "sudo apt-get install krb5-kdc-ldap"
13878
#: serverguide/C/network-auth.xml:2298(para)
8796
#: serverguide/C/network-auth.xml:2428(para)
13879
8797
msgid "Next, extract the <filename>kerberos.schema.gz</filename> file:"
13882
#: serverguide/C/network-auth.xml:2303(command)
8800
#: serverguide/C/network-auth.xml:2433(command)
13883
8801
msgid "sudo gzip -d /usr/share/doc/krb5-kdc-ldap/kerberos.schema.gz"
13886
#: serverguide/C/network-auth.xml:2304(command)
13888
"sudo cp /usr/share/doc/krb5-kdc-ldap/kerberos.schema /etc/ldap/schema/"
13891
#: serverguide/C/network-auth.xml:2310(para)
13893
"The <emphasis>kerberos</emphasis> schema needs to be added to the "
13894
"<emphasis>cn=config</emphasis> tree. The procedure to add a new schema to "
13895
"<application>slapd</application> is also detailed in <xref "
13896
"linkend=\"openldap-configuration\"/>."
13899
#: serverguide/C/network-auth.xml:2323(programlisting)
8804
#: serverguide/C/network-auth.xml:2434(command)
8805
msgid "sudo cp /usr/share/doc/krb5-kdc-ldap/kerberos.schema /etc/ldap/schema/"
8808
#: serverguide/C/network-auth.xml:2440(para)
8809
msgid "The <emphasis>kerberos</emphasis> schema needs to be added to the <emphasis>cn=config</emphasis> tree. The procedure to add a new schema to <application>slapd</application> is also detailed in <xref linkend=\"openldap-configuration\"/>."
8812
#: serverguide/C/network-auth.xml:2453(programlisting)
13903
"include /etc/ldap/schema/core.schema\n"
13904
"include /etc/ldap/schema/collective.schema\n"
13905
"include /etc/ldap/schema/corba.schema\n"
13906
"include /etc/ldap/schema/cosine.schema\n"
13907
"include /etc/ldap/schema/duaconf.schema\n"
13908
"include /etc/ldap/schema/dyngroup.schema\n"
13909
"include /etc/ldap/schema/inetorgperson.schema\n"
13910
"include /etc/ldap/schema/java.schema\n"
13911
"include /etc/ldap/schema/misc.schema\n"
13912
"include /etc/ldap/schema/nis.schema\n"
13913
"include /etc/ldap/schema/openldap.schema\n"
13914
"include /etc/ldap/schema/ppolicy.schema\n"
13915
"include /etc/ldap/schema/kerberos.schema\n"
8814
msgid "\ninclude /etc/ldap/schema/core.schema\ninclude /etc/ldap/schema/collective.schema\ninclude /etc/ldap/schema/corba.schema\ninclude /etc/ldap/schema/cosine.schema\ninclude /etc/ldap/schema/duaconf.schema\ninclude /etc/ldap/schema/dyngroup.schema\ninclude /etc/ldap/schema/inetorgperson.schema\ninclude /etc/ldap/schema/java.schema\ninclude /etc/ldap/schema/misc.schema\ninclude /etc/ldap/schema/nis.schema\ninclude /etc/ldap/schema/openldap.schema\ninclude /etc/ldap/schema/ppolicy.schema\ninclude /etc/ldap/schema/kerberos.schema\n"
13918
#: serverguide/C/network-auth.xml:2343(para)
8817
#: serverguide/C/network-auth.xml:2473(para)
13919
8818
msgid "Create a temporary directory to hold the LDIF files:"
13922
#: serverguide/C/network-auth.xml:2358(command)
13924
"slapcat -f schema_convert.conf -F /tmp/ldif_output -n0 -s "
13925
"\"cn={12}kerberos,cn=schema,cn=config\" > /tmp/cn=kerberos.ldif"
13928
#: serverguide/C/network-auth.xml:2368(para)
13930
"Edit the generated <filename>/tmp/cn\\=kerberos.ldif</filename> file, "
13931
"changing the following attributes:"
13934
#: serverguide/C/network-auth.xml:2372(programlisting)
8821
#: serverguide/C/network-auth.xml:2488(command)
8822
msgid "slapcat -f schema_convert.conf -F /tmp/ldif_output -n0 -s \"cn={12}kerberos,cn=schema,cn=config\" > /tmp/cn=kerberos.ldif"
8825
#: serverguide/C/network-auth.xml:2498(para)
8826
msgid "Edit the generated <filename>/tmp/cn\\=kerberos.ldif</filename> file, changing the following attributes:"
8829
#: serverguide/C/network-auth.xml:2502(programlisting)
13938
"dn: cn=kerberos,cn=schema,cn=config\n"
8831
msgid "\ndn: cn=kerberos,cn=schema,cn=config\n...\ncn: kerberos\n"
13943
#: serverguide/C/network-auth.xml:2378(para)
8834
#: serverguide/C/network-auth.xml:2508(para)
13944
8835
msgid "And remove the following lines from the end of the file:"
13947
#: serverguide/C/network-auth.xml:2382(programlisting)
8838
#: serverguide/C/network-auth.xml:2512(programlisting)
13951
"structuralObjectClass: olcSchemaConfig\n"
13952
"entryUUID: 18ccd010-746b-102d-9fbe-3760cca765dc\n"
13953
"creatorsName: cn=config\n"
13954
"createTimestamp: 20090111203515Z\n"
13955
"entryCSN: 20090111203515.326445Z#000000#000#000000\n"
13956
"modifiersName: cn=config\n"
13957
"modifyTimestamp: 20090111203515Z\n"
8840
msgid "\nstructuralObjectClass: olcSchemaConfig\nentryUUID: 18ccd010-746b-102d-9fbe-3760cca765dc\ncreatorsName: cn=config\ncreateTimestamp: 20090111203515Z\nentryCSN: 20090111203515.326445Z#000000#000#000000\nmodifiersName: cn=config\nmodifyTimestamp: 20090111203515Z\n"
13960
#: serverguide/C/network-auth.xml:2401(para)
8843
#: serverguide/C/network-auth.xml:2531(para)
13961
8844
msgid "Load the new schema with <application>ldapadd</application>:"
13964
#: serverguide/C/network-auth.xml:2406(command)
8847
#: serverguide/C/network-auth.xml:2536(command)
13965
8848
msgid "ldapadd -x -D cn=admin,cn=config -W -f /tmp/cn\\=kerberos.ldif"
13968
#: serverguide/C/network-auth.xml:2412(para)
13970
"Add an index for the <emphasis>krb5principalname</emphasis> attribute:"
8851
#: serverguide/C/network-auth.xml:2542(para)
8852
msgid "Add an index for the <emphasis>krb5principalname</emphasis> attribute:"
13973
#: serverguide/C/network-auth.xml:2419(userinput)
8855
#: serverguide/C/network-auth.xml:2549(userinput)
13976
"dn: olcDatabase={1}hdb,cn=config\n"
13977
"add: olcDbIndex\n"
13978
"olcDbIndex: krbPrincipalName eq,pres,sub"
8857
msgid "dn: olcDatabase={1}hdb,cn=config\nadd: olcDbIndex\nolcDbIndex: krbPrincipalName eq,pres,sub"
13981
#: serverguide/C/network-auth.xml:2429(para)
8860
#: serverguide/C/network-auth.xml:2559(para)
13982
8861
msgid "Finally, update the Access Control Lists (ACL):"
13985
#: serverguide/C/network-auth.xml:2436(userinput)
13988
"dn: olcDatabase={1}hdb,cn=config\n"
13989
"replace: olcAccess\n"
13990
"olcAccess: to attrs=userPassword,shadowLastChange,krbPrincipalKey by "
13991
"dn=\"cn=admin,dc=exampl\n"
13992
" e,dc=com\" write by anonymous auth by self write by * none\n"
13995
"olcAccess: to dn.base=\"\" by * read\n"
13998
"olcAccess: to * by dn=\"cn=admin,dc=example,dc=com\" write by * read"
14001
#: serverguide/C/network-auth.xml:2435(computeroutput)
14004
"Enter LDAP Password: \n"
14005
"<placeholder-1/>\n"
14007
"modifying entry \"olcDatabase={1}hdb,cn=config\"\n"
14010
#: serverguide/C/network-auth.xml:2456(para)
14012
"That's it, your LDAP directory is now ready to serve as a Kerberos principal "
14016
#: serverguide/C/network-auth.xml:2462(title)
8864
#: serverguide/C/network-auth.xml:2566(userinput)
8866
msgid "dn: olcDatabase={1}hdb,cn=config\nreplace: olcAccess\nolcAccess: to attrs=userPassword,shadowLastChange,krbPrincipalKey by dn=\"cn=admin,dc=exampl\n e,dc=com\" write by anonymous auth by self write by * none\n-\nadd: olcAccess\nolcAccess: to dn.base=\"\" by * read\n-\nadd: olcAccess\nolcAccess: to * by dn=\"cn=admin,dc=example,dc=com\" write by * read"
8869
#: serverguide/C/network-auth.xml:2565(computeroutput)
8871
msgid "Enter LDAP Password: \n<placeholder-1/>\n\nmodifying entry \"olcDatabase={1}hdb,cn=config\"\n"
8874
#: serverguide/C/network-auth.xml:2586(para)
8875
msgid "That's it, your LDAP directory is now ready to serve as a Kerberos principal database."
8878
#: serverguide/C/network-auth.xml:2592(title)
14017
8879
msgid "Primary KDC Configuration"
14020
#: serverguide/C/network-auth.xml:2464(para)
14022
"With <application>OpenLDAP</application> configured it is time to configure "
8882
#: serverguide/C/network-auth.xml:2594(para)
8883
msgid "With <application>OpenLDAP</application> configured it is time to configure the KDC."
14026
#: serverguide/C/network-auth.xml:2470(para)
8886
#: serverguide/C/network-auth.xml:2600(para)
14027
8887
msgid "First, install the necessary packages, from a terminal enter:"
14030
#: serverguide/C/network-auth.xml:2475(command) serverguide/C/network-auth.xml:2632(command)
8890
#: serverguide/C/network-auth.xml:2605(command) serverguide/C/network-auth.xml:2762(command)
14031
8891
msgid "sudo apt-get install krb5-kdc krb5-admin-server krb5-kdc-ldap"
14034
#: serverguide/C/network-auth.xml:2481(para)
14036
"Now edit <filename>/etc/krb5.conf</filename> adding the following options to "
14037
"under the appropriate sections:"
8894
#: serverguide/C/network-auth.xml:2611(para)
8895
msgid "Now edit <filename>/etc/krb5.conf</filename> adding the following options to under the appropriate sections:"
14040
#: serverguide/C/network-auth.xml:2485(programlisting)
8898
#: serverguide/C/network-auth.xml:2615(programlisting)
14045
" default_realm = EXAMPLE.COM\n"
14050
" EXAMPLE.COM = {\n"
14051
" kdc = kdc01.example.com\n"
14052
" kdc = kdc02.example.com\n"
14053
" admin_server = kdc01.example.com\n"
14054
" admin_server = kdc02.example.com\n"
14055
" default_domain = example.com\n"
14056
" database_module = openldap_ldapconf\n"
14062
" .example.com = EXAMPLE.COM\n"
14068
" ldap_kerberos_container_dn = dc=example,dc=com\n"
14071
" openldap_ldapconf = {\n"
14072
" db_library = kldap\n"
14073
" ldap_kdc_dn = \"cn=admin,dc=example,dc=com\"\n"
14075
" # this object needs to have read rights on\n"
14076
" # the realm container, principal container and realm sub-"
14078
" ldap_kadmind_dn = \"cn=admin,dc=example,dc=com\"\n"
14080
" # this object needs to have read and write rights on\n"
14081
" # the realm container, principal container and realm sub-"
14083
" ldap_service_password_file = /etc/krb5kdc/service.keyfile\n"
14084
" ldap_servers = ldaps://ldap01.example.com "
14085
"ldaps://ldap02.example.com\n"
14086
" ldap_conns_per_server = 5\n"
14090
#: serverguide/C/network-auth.xml:2530(para)
14092
"Change <emphasis>example.com</emphasis>, "
14093
"<emphasis>dc=example,dc=com</emphasis>, "
14094
"<emphasis>cn=admin,dc=example,dc=com</emphasis>, and "
14095
"<emphasis>ldap01.example.com</emphasis> to the appropriate domain, LDAP "
14096
"object, and LDAP server for your network."
14099
#: serverguide/C/network-auth.xml:2539(para)
14101
"Next, use the <application>kdb5_ldap_util</application> utility to create "
14105
#: serverguide/C/network-auth.xml:2544(command)
14107
"sudo kdb5_ldap_util -D cn=admin,dc=example,dc=com create -subtrees "
14108
"dc=example,dc=com -r EXAMPLE.COM -s -H ldap://ldap01.example.com"
14111
#: serverguide/C/network-auth.xml:2550(para)
14113
"Create a stash of the password used to bind to the LDAP server. This "
14114
"password is used by the <emphasis>ldap_kdc_dn</emphasis> and "
14115
"<emphasis>ldap_kadmin_dn</emphasis> options in "
14116
"<filename>/etc/krb5.conf</filename>:"
14119
#: serverguide/C/network-auth.xml:2556(command) serverguide/C/network-auth.xml:2694(command)
14121
"sudo kdb5_ldap_util -D cn=admin,dc=example,dc=com stashsrvpw -f "
14122
"/etc/krb5kdc/service.keyfile cn=admin,dc=example,dc=com"
14125
#: serverguide/C/network-auth.xml:2562(para)
8900
msgid "\n[libdefaults]\n default_realm = EXAMPLE.COM\n\n...\n\n[realms]\n EXAMPLE.COM = {\n kdc = kdc01.example.com\n kdc = kdc02.example.com\n admin_server = kdc01.example.com\n admin_server = kdc02.example.com\n default_domain = example.com\n database_module = openldap_ldapconf\n }\n\n...\n\n[domain_realm]\n .example.com = EXAMPLE.COM\n\n\n...\n\n[dbdefaults]\n ldap_kerberos_container_dn = dc=example,dc=com\n\n[dbmodules]\n openldap_ldapconf = {\n db_library = kldap\n ldap_kdc_dn = \"cn=admin,dc=example,dc=com\"\n\n # this object needs to have read rights on\n # the realm container, principal container and realm sub-trees\n ldap_kadmind_dn = \"cn=admin,dc=example,dc=com\"\n\n # this object needs to have read and write rights on\n # the realm container, principal container and realm sub-trees\n ldap_service_password_file = /etc/krb5kdc/service.keyfile\n ldap_servers = ldaps://ldap01.example.com ldaps://ldap02.example.com\n ldap_conns_per_server = 5\n }\n"
8903
#: serverguide/C/network-auth.xml:2660(para)
8904
msgid "Change <emphasis>example.com</emphasis>, <emphasis>dc=example,dc=com</emphasis>, <emphasis>cn=admin,dc=example,dc=com</emphasis>, and <emphasis>ldap01.example.com</emphasis> to the appropriate domain, LDAP object, and LDAP server for your network."
8907
#: serverguide/C/network-auth.xml:2669(para)
8908
msgid "Next, use the <application>kdb5_ldap_util</application> utility to create the realm:"
8911
#: serverguide/C/network-auth.xml:2674(command)
8912
msgid "sudo kdb5_ldap_util -D cn=admin,dc=example,dc=com create -subtrees dc=example,dc=com -r EXAMPLE.COM -s -H ldap://ldap01.example.com"
8915
#: serverguide/C/network-auth.xml:2680(para)
8916
msgid "Create a stash of the password used to bind to the LDAP server. This password is used by the <emphasis>ldap_kdc_dn</emphasis> and <emphasis>ldap_kadmin_dn</emphasis> options in <filename>/etc/krb5.conf</filename>:"
8919
#: serverguide/C/network-auth.xml:2686(command) serverguide/C/network-auth.xml:2824(command)
8920
msgid "sudo kdb5_ldap_util -D cn=admin,dc=example,dc=com stashsrvpw -f /etc/krb5kdc/service.keyfile cn=admin,dc=example,dc=com"
8923
#: serverguide/C/network-auth.xml:2692(para)
14126
8924
msgid "Copy the CA certificate from the LDAP server:"
14129
#: serverguide/C/network-auth.xml:2567(command)
8927
#: serverguide/C/network-auth.xml:2697(command)
14130
8928
msgid "scp ldap01:/etc/ssl/certs/cacert.pem ."
14133
#: serverguide/C/network-auth.xml:2568(command)
8931
#: serverguide/C/network-auth.xml:2698(command)
14134
8932
msgid "sudo cp cacert.pem /etc/ssl/certs"
14137
#: serverguide/C/network-auth.xml:2571(para)
14139
"And edit <filename>/etc/ldap/ldap.conf</filename> to use the certificate:"
8935
#: serverguide/C/network-auth.xml:2701(para)
8936
msgid "And edit <filename>/etc/ldap/ldap.conf</filename> to use the certificate:"
14142
#: serverguide/C/network-auth.xml:2575(programlisting)
8939
#: serverguide/C/network-auth.xml:2705(programlisting)
14146
"TLS_CACERT /etc/ssl/certs/cacert.pem\n"
14149
#: serverguide/C/network-auth.xml:2580(para)
14151
"The certificate will also need to be copied to the Secondary KDC, to allow "
14152
"the connection to the LDAP servers using LDAPS."
14155
#: serverguide/C/network-auth.xml:2589(para)
14157
"You can now add Kerberos principals to the LDAP database, and they will be "
14158
"copied to any other LDAP servers configured for replication. To add a "
14159
"principal using the <application>kadmin.local</application> utility enter:"
14162
#: serverguide/C/network-auth.xml:2597(userinput)
8941
msgid "\nTLS_CACERT /etc/ssl/certs/cacert.pem\n"
8944
#: serverguide/C/network-auth.xml:2710(para)
8945
msgid "The certificate will also need to be copied to the Secondary KDC, to allow the connection to the LDAP servers using LDAPS."
8948
#: serverguide/C/network-auth.xml:2719(para)
8949
msgid "You can now add Kerberos principals to the LDAP database, and they will be copied to any other LDAP servers configured for replication. To add a principal using the <application>kadmin.local</application> utility enter:"
8952
#: serverguide/C/network-auth.xml:2727(userinput)
14164
8954
msgid "addprinc -x dn=\"uid=steve,ou=people,dc=example,dc=com\" steve"
14167
#: serverguide/C/network-auth.xml:2596(computeroutput)
8957
#: serverguide/C/network-auth.xml:2726(computeroutput)
14170
"Authenticating as principal root/admin@EXAMPLE.COM with password.\n"
14171
"kadmin.local: <placeholder-1/>\n"
14172
"WARNING: no policy specified for steve@EXAMPLE.COM; defaulting to no policy\n"
14173
"Enter password for principal \"steve@EXAMPLE.COM\": \n"
14174
"Re-enter password for principal \"steve@EXAMPLE.COM\": \n"
14175
"Principal \"steve@EXAMPLE.COM\" created."
14178
#: serverguide/C/network-auth.xml:2604(para)
14180
"There should now be krbPrincipalName, krbPrincipalKey, krbLastPwdChange, and "
14181
"krbExtraData attributes added to the "
14182
"<emphasis>uid=steve,ou=people,dc=example,dc=com</emphasis> user object. Use "
14183
"the <application>kinit</application> and <application>klist</application> "
14184
"utilities to test that the user is indeed issued a ticket."
14187
#: serverguide/C/network-auth.xml:2611(para)
14189
"If the user object is already created the <emphasis>-x dn=\"...\"</emphasis> "
14190
"option is needed to add the Kerberos attributes. Otherwise a new "
14191
"<emphasis>principal</emphasis> object will be created in the realm subtree."
14194
#: serverguide/C/network-auth.xml:2619(title)
8959
msgid "Authenticating as principal root/admin@EXAMPLE.COM with password.\nkadmin.local: <placeholder-1/>\nWARNING: no policy specified for steve@EXAMPLE.COM; defaulting to no policy\nEnter password for principal \"steve@EXAMPLE.COM\": \nRe-enter password for principal \"steve@EXAMPLE.COM\": \nPrincipal \"steve@EXAMPLE.COM\" created."
8962
#: serverguide/C/network-auth.xml:2734(para)
8963
msgid "There should now be krbPrincipalName, krbPrincipalKey, krbLastPwdChange, and krbExtraData attributes added to the <emphasis>uid=steve,ou=people,dc=example,dc=com</emphasis> user object. Use the <application>kinit</application> and <application>klist</application> utilities to test that the user is indeed issued a ticket."
8966
#: serverguide/C/network-auth.xml:2741(para)
8967
msgid "If the user object is already created the <emphasis>-x dn=\"...\"</emphasis> option is needed to add the Kerberos attributes. Otherwise a new <emphasis>principal</emphasis> object will be created in the realm subtree."
8970
#: serverguide/C/network-auth.xml:2749(title)
14195
8971
msgid "Secondary KDC Configuration"
14198
#: serverguide/C/network-auth.xml:2621(para)
14200
"Configuring a Secondary KDC using the LDAP backend is similar to configuring "
14201
"one using the normal Kerberos database."
8974
#: serverguide/C/network-auth.xml:2751(para)
8975
msgid "Configuring a Secondary KDC using the LDAP backend is similar to configuring one using the normal Kerberos database."
14204
#: serverguide/C/network-auth.xml:2627(para)
8978
#: serverguide/C/network-auth.xml:2757(para)
14205
8979
msgid "First, install the necessary packages. In a terminal enter:"
14208
#: serverguide/C/network-auth.xml:2638(para)
14210
"Next, edit <filename>/etc/krb5.conf</filename> to use the LDAP backend:"
8982
#: serverguide/C/network-auth.xml:2768(para)
8983
msgid "Next, edit <filename>/etc/krb5.conf</filename> to use the LDAP backend:"
14213
#: serverguide/C/network-auth.xml:2642(programlisting)
8986
#: serverguide/C/network-auth.xml:2772(programlisting)
14218
" default_realm = EXAMPLE.COM\n"
14223
" EXAMPLE.COM = {\n"
14224
" kdc = kdc01.example.com\n"
14225
" kdc = kdc02.example.com\n"
14226
" admin_server = kdc01.example.com\n"
14227
" admin_server = kdc02.example.com\n"
14228
" default_domain = example.com\n"
14229
" database_module = openldap_ldapconf\n"
14235
" .example.com = EXAMPLE.COM\n"
14240
" ldap_kerberos_container_dn = dc=example,dc=com\n"
14243
" openldap_ldapconf = {\n"
14244
" db_library = kldap\n"
14245
" ldap_kdc_dn = \"cn=admin,dc=example,dc=com\"\n"
14247
" # this object needs to have read rights on\n"
14248
" # the realm container, principal container and realm sub-"
14250
" ldap_kadmind_dn = \"cn=admin,dc=example,dc=com\"\n"
14252
" # this object needs to have read and write rights on\n"
14253
" # the realm container, principal container and realm sub-"
14255
" ldap_service_password_file = /etc/krb5kdc/service.keyfile\n"
14256
" ldap_servers = ldaps://ldap01.example.com "
14257
"ldaps://ldap02.example.com\n"
14258
" ldap_conns_per_server = 5\n"
8988
msgid "\n[libdefaults]\n default_realm = EXAMPLE.COM\n\n...\n\n[realms]\n EXAMPLE.COM = {\n kdc = kdc01.example.com\n kdc = kdc02.example.com\n admin_server = kdc01.example.com\n admin_server = kdc02.example.com\n default_domain = example.com\n database_module = openldap_ldapconf\n }\n\n...\n\n[domain_realm]\n .example.com = EXAMPLE.COM\n\n...\n\n[dbdefaults]\n ldap_kerberos_container_dn = dc=example,dc=com\n\n[dbmodules]\n openldap_ldapconf = {\n db_library = kldap\n ldap_kdc_dn = \"cn=admin,dc=example,dc=com\"\n\n # this object needs to have read rights on\n # the realm container, principal container and realm sub-trees\n ldap_kadmind_dn = \"cn=admin,dc=example,dc=com\"\n\n # this object needs to have read and write rights on\n # the realm container, principal container and realm sub-trees\n ldap_service_password_file = /etc/krb5kdc/service.keyfile\n ldap_servers = ldaps://ldap01.example.com ldaps://ldap02.example.com\n ldap_conns_per_server = 5\n }\n"
14262
#: serverguide/C/network-auth.xml:2689(para)
8991
#: serverguide/C/network-auth.xml:2819(para)
14263
8992
msgid "Create the stash for the LDAP bind password:"
14266
#: serverguide/C/network-auth.xml:2700(para)
14268
"Now, on the <emphasis>Primary KDC</emphasis> copy the "
14269
"<filename>/etc/krb5kdc/.k5.EXAMPLE.COM</filename><emphasis>Master "
14270
"Key</emphasis> stash to the Secondary KDC. Be sure to copy the file over an "
14271
"encrypted connection such as <application>scp</application>, or on physical "
8995
#: serverguide/C/network-auth.xml:2830(para)
8996
msgid "Now, on the <emphasis>Primary KDC</emphasis> copy the <filename>/etc/krb5kdc/.k5.EXAMPLE.COM</filename><emphasis>Master Key</emphasis> stash to the Secondary KDC. Be sure to copy the file over an encrypted connection such as <application>scp</application>, or on physical media."
14275
#: serverguide/C/network-auth.xml:2707(command)
8999
#: serverguide/C/network-auth.xml:2837(command)
14276
9000
msgid "sudo scp /etc/krb5kdc/.k5.EXAMPLE.COM steve@kdc02.example.com:~"
14279
#: serverguide/C/network-auth.xml:2708(command)
9003
#: serverguide/C/network-auth.xml:2838(command)
14280
9004
msgid "sudo mv .k5.EXAMPLE.COM /etc/krb5kdc/"
14283
#: serverguide/C/network-auth.xml:2712(para)
14285
"Again, replace <emphasis>EXAMPLE.COM</emphasis> with your actual realm."
9007
#: serverguide/C/network-auth.xml:2842(para)
9008
msgid "Again, replace <emphasis>EXAMPLE.COM</emphasis> with your actual realm."
14288
#: serverguide/C/network-auth.xml:2720(para)
9011
#: serverguide/C/network-auth.xml:2850(para)
14289
9012
msgid "Finally, start the <application>krb5-kdc</application> daemon:"
14292
#: serverguide/C/network-auth.xml:2731(para)
14294
"You now have redundant KDCs on your network, and with redundant LDAP servers "
14295
"you should be able to continue to authenticate users if one LDAP server, one "
14296
"Kerberos server, or one LDAP and one Kerberos server become unavailable."
14299
#: serverguide/C/network-auth.xml:2743(para)
14301
"The <ulink url=\"http://web.mit.edu/Kerberos/krb5-1.6/krb5-1.6.3/doc/krb5-"
14302
"admin.html#Configuring-Kerberos-with-OpenLDAP-back_002dend\"> Kerberos Admin "
14303
"Guide</ulink> has some additional details."
14306
#: serverguide/C/network-auth.xml:2749(para)
14308
"For more information on <application>kdb5_ldap_util</application> see <ulink "
14309
"url=\"http://web.mit.edu/Kerberos/krb5-1.6/krb5-1.6.3/doc/krb5-"
14310
"admin.html#Global-Operations-on-the-Kerberos-LDAP-Database\"> Section "
14311
"5.6</ulink> and the <ulink "
14312
"url=\"http://manpages.ubuntu.com/manpages/jaunty/en/man8/kdb5_ldap_util.8.htm"
14313
"l\">kdb5_ldap_util man page</ulink>."
14316
#: serverguide/C/network-auth.xml:2757(para)
14318
"Another useful link is the <ulink "
14319
"url=\"http://manpages.ubuntu.com/manpages/jaunty/en/man5/krb5.conf.5.html\">k"
14320
"rb5.conf man page</ulink>."
9015
#: serverguide/C/network-auth.xml:2861(para)
9016
msgid "You now have redundant KDCs on your network, and with redundant LDAP servers you should be able to continue to authenticate users if one LDAP server, one Kerberos server, or one LDAP and one Kerberos server become unavailable."
9019
#: serverguide/C/network-auth.xml:2873(para)
9020
msgid "The <ulink url=\"http://web.mit.edu/Kerberos/krb5-1.6/krb5-1.6.3/doc/krb5-admin.html#Configuring-Kerberos-with-OpenLDAP-back_002dend\"> Kerberos Admin Guide</ulink> has some additional details."
9023
#: serverguide/C/network-auth.xml:2879(para)
9024
msgid "For more information on <application>kdb5_ldap_util</application> see <ulink url=\"http://web.mit.edu/Kerberos/krb5-1.6/krb5-1.6.3/doc/krb5-admin.html#Global-Operations-on-the-Kerberos-LDAP-Database\"> Section 5.6</ulink> and the <ulink url=\"http://manpages.ubuntu.com/manpages/jaunty/en/man8/kdb5_ldap_util.8.html\">kdb5_ldap_util man page</ulink>."
9027
#: serverguide/C/network-auth.xml:2887(para)
9028
msgid "Another useful link is the <ulink url=\"http://manpages.ubuntu.com/manpages/jaunty/en/man5/krb5.conf.5.html\">krb5.conf man page</ulink>."
14323
9031
#: serverguide/C/monitoring.xml:13(title)
17995
11333
#: serverguide/C/installation.xml:423(para)
17997
"Select the first hard drive, and agree to <emphasis>\"Create a new empty "
17998
"partition table on this device?\"</emphasis>."
11334
msgid "Select the first hard drive, and agree to <emphasis>\"Create a new empty partition table on this device?\"</emphasis>."
18001
11337
#: serverguide/C/installation.xml:427(para)
18003
"Repeat this step for each drive you wish to be part of the RAID array."
11338
msgid "Repeat this step for each drive you wish to be part of the RAID array."
18006
11341
#: serverguide/C/installation.xml:434(para)
18008
"Select the <emphasis>\"FREE SPACE\"</emphasis> on the first drive then "
18009
"select <emphasis>\"Create a new partition\"</emphasis>."
11342
msgid "Select the <emphasis>\"FREE SPACE\"</emphasis> on the first drive then select <emphasis>\"Create a new partition\"</emphasis>."
18012
11345
#: serverguide/C/installation.xml:441(para)
18014
"Next, select the <emphasis>Size</emphasis> of the partition. This partition "
18015
"will be the <emphasis>swap</emphasis> partition, and a general rule for swap "
18016
"size is twice that of RAM. Enter the partition size, then choose "
18017
"<emphasis>Primary</emphasis>, then <emphasis>Beginning</emphasis>."
11346
msgid "Next, select the <emphasis>Size</emphasis> of the partition. This partition will be the <emphasis>swap</emphasis> partition, and a general rule for swap size is twice that of RAM. Enter the partition size, then choose <emphasis>Primary</emphasis>, then <emphasis>Beginning</emphasis>."
18020
11349
#: serverguide/C/installation.xml:450(para)
18022
"Select the <emphasis>\"Use as:\"</emphasis> line at the top. By default this "
18023
"is <emphasis role=\"italic\">\"Ext3 journaling file system\"</emphasis>, "
18024
"change that to <emphasis>\"physical volume for RAID\"</emphasis> then "
18025
"<emphasis>\"Done setting up partition\"</emphasis>."
11350
msgid "Select the <emphasis>\"Use as:\"</emphasis> line at the top. By default this is <emphasis role=\"italic\">\"Ext4 journaling file system\"</emphasis>, change that to <emphasis>\"physical volume for RAID\"</emphasis> then <emphasis>\"Done setting up partition\"</emphasis>."
18028
11353
#: serverguide/C/installation.xml:459(para)
18030
"For the <emphasis>/</emphasis> partition once again select <emphasis>\"Free "
18031
"Space\"</emphasis> on the first drive then <emphasis>\"Create a new "
18032
"partition\"</emphasis>."
11354
msgid "For the <emphasis>/</emphasis> partition once again select <emphasis>\"Free Space\"</emphasis> on the first drive then <emphasis>\"Create a new partition\"</emphasis>."
18035
11357
#: serverguide/C/installation.xml:467(para)
18037
"Use the rest of the free space on the drive and choose "
18038
"<emphasis>Continue</emphasis>, then <emphasis>Primary</emphasis>."
11358
msgid "Use the rest of the free space on the drive and choose <emphasis>Continue</emphasis>, then <emphasis>Primary</emphasis>."
18041
11361
#: serverguide/C/installation.xml:474(para)
18043
"As with the swap partition, select the <emphasis>\"Use as:\"</emphasis> line "
18044
"at the top, changing it to <emphasis>\"physical volume for RAID\"</emphasis> "
18045
"then choose <emphasis>\"Done setting up partition\"</emphasis>."
11362
msgid "As with the swap partition, select the <emphasis>\"Use as:\"</emphasis> line at the top, changing it to <emphasis>\"physical volume for RAID\"</emphasis>. Also select the <emphasis>\"Bootable flag:\"</emphasis> line to change the value to <emphasis>\"on\"</emphasis>. Then choose <emphasis>\"Done setting up partition\"</emphasis>."
18048
#: serverguide/C/installation.xml:482(para)
11365
#: serverguide/C/installation.xml:484(para)
18049
11366
msgid "Repeat steps three through eight for the other disk and partitions."
18052
#: serverguide/C/installation.xml:491(title)
11369
#: serverguide/C/installation.xml:493(title)
18053
11370
msgid "RAID Configuration"
18056
#: serverguide/C/installation.xml:493(para)
11373
#: serverguide/C/installation.xml:495(para)
18057
11374
msgid "With the partitions setup the arrays are ready to be configured:"
18060
#: serverguide/C/installation.xml:500(para)
18062
"Back in the main \"Partition Disks\" page, select <emphasis>\"Configure "
18063
"Software RAID\"</emphasis> at the top."
11377
#: serverguide/C/installation.xml:502(para)
11378
msgid "Back in the main \"Partition Disks\" page, select <emphasis>\"Configure Software RAID\"</emphasis> at the top."
18066
#: serverguide/C/installation.xml:507(para)
11381
#: serverguide/C/installation.xml:509(para)
18067
11382
msgid "Select <emphasis>\"yes\"</emphasis> to write the changes to disk."
18070
#: serverguide/C/installation.xml:514(para)
18071
msgid "Choose <emphasis>\"Create MD drive\"</emphasis>."
18074
#: serverguide/C/installation.xml:521(para)
18076
"For this example, select <emphasis>\"RAID1\"</emphasis>, but if you are "
18077
"using a different setup choose the appropriate type (RAID0 RAID1 RAID5)."
18080
#: serverguide/C/installation.xml:527(para)
18082
"In order to use <emphasis>RAID5</emphasis> you need at least "
18083
"<emphasis>three</emphasis> drives. Using RAID0 or RAID1 only "
18084
"<emphasis>two</emphasis> drives are required."
18087
#: serverguide/C/installation.xml:536(para)
18089
"Enter the number of active devices <emphasis>\"2\"</emphasis>, or the amount "
18090
"of hard drives you have, for the array. Then select "
18091
"<emphasis>\"Continue\"</emphasis>."
18094
#: serverguide/C/installation.xml:544(para)
18096
"Next, enter the number of spare devices <emphasis>\"0\"</emphasis> by "
18097
"default, then choose <emphasis>\"Continue\"</emphasis>."
18100
#: serverguide/C/installation.xml:551(para)
18102
"Choose which partitions to use. Generally they will be sda1, sdb1, sdc1, "
18103
"etc. The numbers will usually match and the different letters correspond to "
18104
"different hard drives."
18107
#: serverguide/C/installation.xml:556(para)
18109
"For the <emphasis>swap</emphasis> partition choose <emphasis>sda1</emphasis> "
18110
"and <emphasis>sdb1</emphasis>. Select <emphasis>\"Continue\"</emphasis> to "
18111
"go to the next step."
18114
#: serverguide/C/installation.xml:564(para)
18116
"Repeat steps <emphasis>three</emphasis> through <emphasis>seven</emphasis> "
18117
"for the <emphasis>/</emphasis> partition choosing <emphasis>sda2</emphasis> "
18118
"and <emphasis>sdb2</emphasis>."
18121
#: serverguide/C/installation.xml:572(para)
11385
#: serverguide/C/installation.xml:516(para)
11386
msgid "Choose <emphasis>\"Create MD device\"</emphasis>."
11389
#: serverguide/C/installation.xml:523(para)
11390
msgid "For this example, select <emphasis>\"RAID1\"</emphasis>, but if you are using a different setup choose the appropriate type (RAID0 RAID1 RAID5)."
11393
#: serverguide/C/installation.xml:529(para)
11394
msgid "In order to use <emphasis>RAID5</emphasis> you need at least <emphasis>three</emphasis> drives. Using RAID0 or RAID1 only <emphasis>two</emphasis> drives are required."
11397
#: serverguide/C/installation.xml:538(para)
11398
msgid "Enter the number of active devices <emphasis>\"2\"</emphasis>, or the amount of hard drives you have, for the array. Then select <emphasis>\"Continue\"</emphasis>."
11401
#: serverguide/C/installation.xml:546(para)
11402
msgid "Next, enter the number of spare devices <emphasis>\"0\"</emphasis> by default, then choose <emphasis>\"Continue\"</emphasis>."
11405
#: serverguide/C/installation.xml:553(para)
11406
msgid "Choose which partitions to use. Generally they will be sda1, sdb1, sdc1, etc. The numbers will usually match and the different letters correspond to different hard drives."
11409
#: serverguide/C/installation.xml:558(para)
11410
msgid "For the <emphasis>swap</emphasis> partition choose <emphasis>sda1</emphasis> and <emphasis>sdb1</emphasis>. Select <emphasis>\"Continue\"</emphasis> to go to the next step."
11413
#: serverguide/C/installation.xml:566(para)
11414
msgid "Repeat steps <emphasis>three</emphasis> through <emphasis>seven</emphasis> for the <emphasis>/</emphasis> partition choosing <emphasis>sda2</emphasis> and <emphasis>sdb2</emphasis>."
11417
#: serverguide/C/installation.xml:574(para)
18122
11418
msgid "Once done select <emphasis>\"Finish\"</emphasis>."
18125
#: serverguide/C/installation.xml:582(title)
11421
#: serverguide/C/installation.xml:584(title)
18126
11422
msgid "Formatting"
18129
#: serverguide/C/installation.xml:584(para)
18131
"There should now be a list of hard drives and RAID devices. The next step is "
18132
"to format and set the mount point for the RAID devices. Treat the RAID "
18133
"device as a local hard drive, format and mount accordingly."
18136
#: serverguide/C/installation.xml:592(para)
18137
msgid "Select the <emphasis>RAID1 device #0</emphasis> partition."
18140
#: serverguide/C/installation.xml:599(para)
18142
"Choose <emphasis>\"Use as:\"</emphasis>. Then select <emphasis>\"swap "
18143
"area\"</emphasis>, then <emphasis>\"Done setting up partition\"</emphasis>."
18146
#: serverguide/C/installation.xml:607(para)
18147
msgid "Next, select the <emphasis>RAID1 device #1</emphasis> partition."
18150
#: serverguide/C/installation.xml:614(para)
18152
"Choose <emphasis>\"Use as:\"</emphasis>. Then select <emphasis>\"Ext3 "
18153
"journaling file system\"</emphasis>."
18156
#: serverguide/C/installation.xml:621(para)
18158
"Then select the <emphasis>\"Mount point\"</emphasis> and choose "
18159
"<emphasis>\"/ - the root file system\"</emphasis>. Change any of the other "
18160
"options as appropriate, then select <emphasis>\"Done setting up "
18161
"partition\"</emphasis>."
18164
#: serverguide/C/installation.xml:629(para)
18166
"Finally, select <emphasis>\"Finish partitioning and write changes to "
18167
"disk\"</emphasis>."
18170
#: serverguide/C/installation.xml:636(para)
18172
"If you choose to place the root partition on a RAID array, the installer "
18173
"will then ask if you would like to boot in a <emphasis>degraded</emphasis> "
18174
"state. See <xref linkend=\"raid-degraded\"/> for further details."
18177
#: serverguide/C/installation.xml:641(para)
11425
#: serverguide/C/installation.xml:586(para)
11426
msgid "There should now be a list of hard drives and RAID devices. The next step is to format and set the mount point for the RAID devices. Treat the RAID device as a local hard drive, format and mount accordingly."
11429
#: serverguide/C/installation.xml:594(para)
11430
msgid "Select <emphasis>\"#1\"</emphasis> under the <emphasis>\"RAID1 device #0\"</emphasis> partition."
11433
#: serverguide/C/installation.xml:601(para)
11434
msgid "Choose <emphasis>\"Use as:\"</emphasis>. Then select <emphasis>\"swap area\"</emphasis>, then <emphasis>\"Done setting up partition\"</emphasis>."
11437
#: serverguide/C/installation.xml:609(para)
11438
msgid "Next, select <emphasis>\"#1\"</emphasis> under the <emphasis>\"RAID1 device #1\"</emphasis> partition."
11441
#: serverguide/C/installation.xml:616(para)
11442
msgid "Choose <emphasis>\"Use as:\"</emphasis>. Then select <emphasis>\"Ext4 journaling file system\"</emphasis>."
11445
#: serverguide/C/installation.xml:623(para)
11446
msgid "Then select the <emphasis>\"Mount point\"</emphasis> and choose <emphasis>\"/ - the root file system\"</emphasis>. Change any of the other options as appropriate, then select <emphasis>\"Done setting up partition\"</emphasis>."
11449
#: serverguide/C/installation.xml:631(para)
11450
msgid "Finally, select <emphasis>\"Finish partitioning and write changes to disk\"</emphasis>."
11453
#: serverguide/C/installation.xml:638(para)
11454
msgid "If you choose to place the root partition on a RAID array, the installer will then ask if you would like to boot in a <emphasis>degraded</emphasis> state. See <xref linkend=\"raid-degraded\"/> for further details."
11457
#: serverguide/C/installation.xml:643(para)
18178
11458
msgid "The installation process will then continue normally."
18181
#: serverguide/C/installation.xml:647(title)
11461
#: serverguide/C/installation.xml:649(title)
18182
11462
msgid "Degraded RAID"
18185
#: serverguide/C/installation.xml:649(para)
18187
"At some point in the life of the computer a disk failure event may occur. "
18188
"When this happens, using Software RAID, the operating system will place the "
18189
"array into what is known as a <emphasis>degraded</emphasis> state."
18192
#: serverguide/C/installation.xml:654(para)
18194
"If the array has become degraded, due to the chance of data corruption, by "
18195
"default Ubuntu Server Edition will boot to <emphasis>initramfs</emphasis> "
18196
"after thirty seconds. Once the initramfs has booted there is a fifteen "
18197
"second prompt giving you the option to go ahead and boot the system, or "
18198
"attempt manual recover. Booting to the initramfs prompt may or may not be "
18199
"the desired behavior, especially if the machine is in a remote location. "
18200
"Booting to a degraded array can be configured several ways:"
18203
#: serverguide/C/installation.xml:665(para)
18205
"The <application>dpkg-reconfigure</application> utility can be used to "
18206
"configure the default behavior, and during the process you will be queried "
18207
"about additional settings related to the array. Such as monitoring, email "
18208
"alerts, etc. To reconfigure <application>mdadm</application> enter the "
18212
#: serverguide/C/installation.xml:672(command)
11465
#: serverguide/C/installation.xml:651(para)
11466
msgid "At some point in the life of the computer a disk failure event may occur. When this happens, using Software RAID, the operating system will place the array into what is known as a <emphasis>degraded</emphasis> state."
11469
#: serverguide/C/installation.xml:656(para)
11470
msgid "If the array has become degraded, due to the chance of data corruption, by default Ubuntu Server Edition will boot to <emphasis>initramfs</emphasis> after thirty seconds. Once the initramfs has booted there is a fifteen second prompt giving you the option to go ahead and boot the system, or attempt manual recover. Booting to the initramfs prompt may or may not be the desired behavior, especially if the machine is in a remote location. Booting to a degraded array can be configured several ways:"
11473
#: serverguide/C/installation.xml:667(para)
11474
msgid "The <application>dpkg-reconfigure</application> utility can be used to configure the default behavior, and during the process you will be queried about additional settings related to the array. Such as monitoring, email alerts, etc. To reconfigure <application>mdadm</application> enter the following:"
11477
#: serverguide/C/installation.xml:674(command)
18213
11478
msgid "sudo dpkg-reconfigure mdadm"
18216
#: serverguide/C/installation.xml:678(para)
18218
"The <command>dpkg-reconfigure mdadm</command> process will change the "
18219
"<filename>/etc/initramfs-tools/conf.d/mdadm</filename> configuration file. "
18220
"The file has the advantage of being able to pre-configure the system's "
18221
"behavior, and can also be manually edited:"
11481
#: serverguide/C/installation.xml:680(para)
11482
msgid "The <command>dpkg-reconfigure mdadm</command> process will change the <filename>/etc/initramfs-tools/conf.d/mdadm</filename> configuration file. The file has the advantage of being able to pre-configure the system's behavior, and can also be manually edited:"
18224
#: serverguide/C/installation.xml:684(programlisting)
11485
#: serverguide/C/installation.xml:686(programlisting)
18228
"BOOT_DEGRADED=true\n"
11487
msgid "\nBOOT_DEGRADED=true\n"
18231
#: serverguide/C/installation.xml:689(para)
11490
#: serverguide/C/installation.xml:691(para)
18232
11491
msgid "The configuration file can be overridden by using a Kernel argument."
18235
#: serverguide/C/installation.xml:697(para)
18237
"Using a Kernel argument will allow the system to boot to a degraded array as "
18241
#: serverguide/C/installation.xml:703(para)
18243
"When the server is booting press <emphasis>ESC</emphasis> to open the "
18244
"<application>Grub</application> menu."
18247
#: serverguide/C/installation.xml:708(para)
11494
#: serverguide/C/installation.xml:699(para)
11495
msgid "Using a Kernel argument will allow the system to boot to a degraded array as well:"
11498
#: serverguide/C/installation.xml:705(para)
11499
msgid "When the server is booting press <emphasis>ESC</emphasis> to open the <application>Grub</application> menu."
11502
#: serverguide/C/installation.xml:710(para)
18248
11503
msgid "Press <emphasis>\"e\"</emphasis> to edit your Kernel command options."
18251
#: serverguide/C/installation.xml:713(para)
18253
"Press the <emphasis>DOWN</emphasis> arrow to highlight the kernel line."
18256
#: serverguide/C/installation.xml:718(para)
18258
"Press the <emphasis>\"e\"</emphasis> key again to edit the kernel line."
18261
#: serverguide/C/installation.xml:723(para)
18263
"Add <emphasis>\"bootdegraded=true\"</emphasis> (without the quotes) to the "
18267
#: serverguide/C/installation.xml:728(para)
11506
#: serverguide/C/installation.xml:715(para)
11507
msgid "Press the <emphasis>DOWN</emphasis> arrow to highlight the kernel line."
11510
#: serverguide/C/installation.xml:720(para)
11511
msgid "Press the <emphasis>\"e\"</emphasis> key again to edit the kernel line."
11514
#: serverguide/C/installation.xml:725(para)
11515
msgid "Add <emphasis>\"bootdegraded=true\"</emphasis> (without the quotes) to the end of the line."
11518
#: serverguide/C/installation.xml:730(para)
18268
11519
msgid "Press <emphasis>\"ENTER\"</emphasis>."
18271
#: serverguide/C/installation.xml:733(para)
11522
#: serverguide/C/installation.xml:735(para)
18272
11523
msgid "Finally, press <emphasis>\"b\"</emphasis> to boot the system."
18275
#: serverguide/C/installation.xml:742(para)
18277
"Once the system has booted you can either repair the array see <xref "
18278
"linkend=\"raid-maintenance\"/> for details, or copy important data to "
18279
"another machine due to major hardware failure."
11526
#: serverguide/C/installation.xml:744(para)
11527
msgid "Once the system has booted you can either repair the array see <xref linkend=\"raid-maintenance\"/> for details, or copy important data to another machine due to major hardware failure."
18282
#: serverguide/C/installation.xml:749(title)
11530
#: serverguide/C/installation.xml:751(title)
18283
11531
msgid "RAID Maintenance"
18286
#: serverguide/C/installation.xml:751(para)
18288
"The <application>mdadm</application> utility can be used to view the status "
18289
"of an array, add disks to an array, remove disks, etc:"
11534
#: serverguide/C/installation.xml:753(para)
11535
msgid "The <application>mdadm</application> utility can be used to view the status of an array, add disks to an array, remove disks, etc:"
18292
#: serverguide/C/installation.xml:758(para)
11538
#: serverguide/C/installation.xml:760(para)
18293
11539
msgid "To view the status of an array, from a terminal prompt enter:"
18296
#: serverguide/C/installation.xml:762(command)
11542
#: serverguide/C/installation.xml:764(command)
18297
11543
msgid "sudo mdadm -D /dev/md0"
18300
#: serverguide/C/installation.xml:765(para)
18302
"The <emphasis>-D</emphasis> tells <application>mdadm</application> to "
18303
"display <emphasis>detailed</emphasis> information about the "
18304
"<filename>/dev/md0</filename> device. Replace <filename>/dev/md0</filename> "
18305
"with the appropriate RAID device."
11546
#: serverguide/C/installation.xml:767(para)
11547
msgid "The <emphasis>-D</emphasis> tells <application>mdadm</application> to display <emphasis>detailed</emphasis> information about the <filename>/dev/md0</filename> device. Replace <filename>/dev/md0</filename> with the appropriate RAID device."
18308
#: serverguide/C/installation.xml:771(para)
11550
#: serverguide/C/installation.xml:773(para)
18309
11551
msgid "To view the status of a disk in an array:"
18312
#: serverguide/C/installation.xml:775(command)
11554
#: serverguide/C/installation.xml:777(command)
18313
11555
msgid "sudo mdadm -E /dev/sda1"
18316
#: serverguide/C/installation.xml:777(para)
18318
"The output if very similar to the <command>mdadm -D</command> command, "
18319
"adjust <filename>/dev/sda1</filename> for each disk."
11558
#: serverguide/C/installation.xml:779(para)
11559
msgid "The output if very similar to the <command>mdadm -D</command> command, adjust <filename>/dev/sda1</filename> for each disk."
18322
#: serverguide/C/installation.xml:782(para)
11562
#: serverguide/C/installation.xml:784(para)
18323
11563
msgid "If a disk fails and needs to be removed from an array enter:"
18326
#: serverguide/C/installation.xml:786(command)
11566
#: serverguide/C/installation.xml:788(command)
18327
11567
msgid "sudo mdadm --remove /dev/md0 /dev/sda1"
18330
#: serverguide/C/installation.xml:788(para)
18332
"Change <filename>/dev/md0</filename> and <filename>/dev/sda1</filename> to "
18333
"the appropriate RAID device and disk."
11570
#: serverguide/C/installation.xml:790(para)
11571
msgid "Change <filename>/dev/md0</filename> and <filename>/dev/sda1</filename> to the appropriate RAID device and disk."
18336
#: serverguide/C/installation.xml:793(para)
11574
#: serverguide/C/installation.xml:795(para)
18337
11575
msgid "Similarly, to add a new disk:"
18340
#: serverguide/C/installation.xml:797(command)
11578
#: serverguide/C/installation.xml:799(command)
18341
11579
msgid "sudo mdadm --add /dev/md0 /dev/sda1"
18344
#: serverguide/C/installation.xml:802(para)
18346
"Sometimes a disk can change to a <emphasis>faulty</emphasis> state even "
18347
"though there is nothing physically wrong with the drive. It is usually "
18348
"worthwhile to remove the drive from the array then re-add it. This will "
18349
"cause the drive to re-sync with the array. If the drive will not sync with "
18350
"the array, it is a good indication of hardware failure."
18353
#: serverguide/C/installation.xml:808(para)
18355
"The <filename>/proc/mdstat</filename> file also contains useful information "
18356
"about the system's RAID devices:"
18359
#: serverguide/C/installation.xml:813(command)
11582
#: serverguide/C/installation.xml:804(para)
11583
msgid "Sometimes a disk can change to a <emphasis>faulty</emphasis> state even though there is nothing physically wrong with the drive. It is usually worthwhile to remove the drive from the array then re-add it. This will cause the drive to re-sync with the array. If the drive will not sync with the array, it is a good indication of hardware failure."
11586
#: serverguide/C/installation.xml:810(para)
11587
msgid "The <filename>/proc/mdstat</filename> file also contains useful information about the system's RAID devices:"
11590
#: serverguide/C/installation.xml:815(command)
18360
11591
msgid "cat /proc/mdstat"
18363
#: serverguide/C/installation.xml:814(computeroutput)
11594
#: serverguide/C/installation.xml:816(computeroutput)
18366
"Personalities : [linear] [multipath] [raid0] [raid1] [raid6] [raid5] [raid4] "
18368
"md0 : active raid1 sda1[0] sdb1[1]\n"
18369
" 10016384 blocks [2/2] [UU]\n"
18371
"unused devices: <none>"
18374
#: serverguide/C/installation.xml:821(para)
18376
"The following command is great for watching the status of a syncing drive:"
18379
#: serverguide/C/installation.xml:826(command)
11596
msgid "Personalities : [linear] [multipath] [raid0] [raid1] [raid6] [raid5] [raid4] [raid10] \nmd0 : active raid1 sda1[0] sdb1[1]\n 10016384 blocks [2/2] [UU]\n \nunused devices: <none>"
11599
#: serverguide/C/installation.xml:823(para)
11600
msgid "The following command is great for watching the status of a syncing drive:"
11603
#: serverguide/C/installation.xml:828(command)
18380
11604
msgid "watch -n1 cat /proc/mdstat"
18383
#: serverguide/C/installation.xml:829(para)
18385
"Press <emphasis>Ctrl+c</emphasis> to stop the "
18386
"<application>watch</application> command."
18389
#: serverguide/C/installation.xml:833(para)
18391
"If you do need to replace a faulty drive, after the drive has been replaced "
18392
"and synced, <application>grub</application> will need to be installed. To "
18393
"install <application>grub</application> on the new drive, enter the "
18397
#: serverguide/C/installation.xml:839(command)
11607
#: serverguide/C/installation.xml:831(para)
11608
msgid "Press <emphasis>Ctrl+c</emphasis> to stop the <application>watch</application> command."
11611
#: serverguide/C/installation.xml:835(para)
11612
msgid "If you do need to replace a faulty drive, after the drive has been replaced and synced, <application>grub</application> will need to be installed. To install <application>grub</application> on the new drive, enter the following:"
11615
#: serverguide/C/installation.xml:841(command)
18398
11616
msgid "sudo grub-install /dev/md0"
18401
#: serverguide/C/installation.xml:842(para)
18403
"Replace <filename>/dev/md0</filename> with the appropriate array device name."
18406
#: serverguide/C/installation.xml:850(para)
18408
"The topic of RAID arrays is a complex one due to the plethora of ways RAID "
18409
"can be configured. Please see the following links for more information:"
18412
#: serverguide/C/installation.xml:858(ulink)
11619
#: serverguide/C/installation.xml:844(para)
11620
msgid "Replace <filename>/dev/md0</filename> with the appropriate array device name."
11623
#: serverguide/C/installation.xml:852(para)
11624
msgid "The topic of RAID arrays is a complex one due to the plethora of ways RAID can be configured. Please see the following links for more information:"
11627
#: serverguide/C/installation.xml:860(ulink)
18413
11628
msgid "Software RAID HOWTO"
18416
#: serverguide/C/installation.xml:863(ulink)
11631
#: serverguide/C/installation.xml:865(ulink)
18417
11632
msgid "Managing RAID on Linux"
18420
#: serverguide/C/installation.xml:870(title)
11635
#: serverguide/C/installation.xml:872(title)
18421
11636
msgid "Logical Volume Manager (LVM)"
18424
#: serverguide/C/installation.xml:872(para)
18426
"Logical Volume Manger, or <emphasis>LVM</emphasis>, allows administrators to "
18427
"create <emphasis>logical</emphasis> volumes out of one or multiple physical "
18428
"hard disks. LVM volumes can be created on both software RAID partitions and "
18429
"standard partitions residing on a single disk. Volumes can also be extended, "
18430
"giving greater flexibility to systems as requirements change."
18433
#: serverguide/C/installation.xml:881(para)
18435
"A side effect of LVM's power and flexibility is a greater degree of "
18436
"complication. Before diving into the LVM installation process, it is best to "
18437
"get familiar with some terms."
18440
#: serverguide/C/installation.xml:888(para)
18442
"<emphasis>Volume Group (VG):</emphasis> contains one or several Logical "
18446
#: serverguide/C/installation.xml:893(para)
18448
"<emphasis>Logical Volume (LV):</emphasis> is similar to a partition in a non-"
18449
"LVM system. Multiple Physical Volumes (PV) can make up one LV, on top of "
18450
"which resides the actual EXT3, XFS, JFS, etc filesystem."
18453
#: serverguide/C/installation.xml:899(para)
18455
"<emphasis>Physical Volume (PV):</emphasis> physical hard disk or software "
18456
"RAID partition. The Volume Group can be extended by adding more PVs."
18459
#: serverguide/C/installation.xml:910(para)
18461
"As an example this section covers installing Ubuntu Server Edition with "
18462
"<filename role=\"directory\">/srv</filename> mounted on a LVM volume. During "
18463
"the initial install only one Physical Volume (PV) will be part of the Volume "
18464
"Group (VG). Another PV will be added after install to demonstrate how a VG "
18468
#: serverguide/C/installation.xml:916(para)
18470
"There are several installation options for LVM, <emphasis>\"Guided - use the "
18471
"entire disk and setup LVM\"</emphasis> which will also allow you to assign a "
18472
"portion of the available space to LVM, <emphasis>\"Guided - use entire and "
18473
"setup encrypted LVM\"</emphasis>, or <emphasis>Manually</emphasis> setup the "
18474
"partitions and configure LVM. At this time the only way to configure a "
18475
"system with both LVM and standard partitions, during installation, is to use "
18476
"the Manual approach."
18479
#: serverguide/C/installation.xml:933(para)
18481
"At the <emphasis>\"Partition Disks</emphasis> screen choose "
18482
"<emphasis>\"Manual\"</emphasis>."
18485
#: serverguide/C/installation.xml:940(para)
18487
"Select the hard disk and on the next screen choose \"yes\" to "
18488
"<emphasis>\"Create a new empty partition table on this device\"</emphasis>."
18491
#: serverguide/C/installation.xml:947(para)
18493
"Next, create standard <emphasis>/boot</emphasis>, <emphasis>swap</emphasis>, "
18494
"and <emphasis>/</emphasis> partitions with whichever filesystem you prefer."
18497
#: serverguide/C/installation.xml:955(para)
18499
"For the LVM <emphasis>/srv</emphasis>, create a new "
18500
"<emphasis>Logical</emphasis> partition. Then change <emphasis>\"Use "
18501
"as\"</emphasis> to <emphasis>\"physical volume for LVM\"</emphasis> then "
18502
"<emphasis>\"Done setting up the partition\"</emphasis>."
18505
#: serverguide/C/installation.xml:963(para)
18507
"Now select <emphasis>\"Configure the Logical Volume Manager\"</emphasis> at "
18508
"the top, and choose <emphasis>\"Yes\"</emphasis> to write the changes to "
18512
#: serverguide/C/installation.xml:971(para)
18514
"For the <emphasis>\"LVM configuration action\"</emphasis> on the next "
18515
"screen, choose <emphasis>\"Create volume group\"</emphasis>. Enter a name "
18516
"for the VG such as <emphasis>vg01</emphasis>, or something more descriptive. "
18517
"After entering a name, select the partition configured for LVM, and choose "
18518
"<emphasis>\"Continue\"</emphasis>."
18521
#: serverguide/C/installation.xml:980(para)
18523
"Back at the <emphasis>\"LVM configuration action\"</emphasis> screen, select "
18524
"<emphasis>\"Create logical volume\"</emphasis>. Select the newly created "
18525
"volume group, and enter a name for the new LV, for example "
18526
"<emphasis>srv</emphasis> since that is the intended mount point. Then choose "
18527
"a size, which may be the full partition because it can always be extended "
18528
"later. Choose <emphasis>\"Finish\"</emphasis> and you should be back at the "
18529
"main <emphasis>\"Partition Disks\"</emphasis> screen."
18532
#: serverguide/C/installation.xml:990(para)
18534
"Now add a filesystem to the new LVM. Select the partition under "
18535
"<emphasis>\"LVM VG vg01, LV srv\"</emphasis>, or whatever name you have "
18536
"chosen, the choose <emphasis>Use as</emphasis>. Setup a file system as "
18537
"normal selecting <emphasis>/srv</emphasis> as the mount point. Once done, "
18538
"select <emphasis>\"Done setting up the partition\"</emphasis>."
18541
#: serverguide/C/installation.xml:999(para)
18543
"Finally, select <emphasis>\"Finish partitioning and write changes to "
18544
"disk\"</emphasis>. Then confirm the changes and continue with the rest of "
18545
"the installation."
18548
#: serverguide/C/installation.xml:1007(para)
11639
#: serverguide/C/installation.xml:874(para)
11640
msgid "Logical Volume Manger, or <emphasis>LVM</emphasis>, allows administrators to create <emphasis>logical</emphasis> volumes out of one or multiple physical hard disks. LVM volumes can be created on both software RAID partitions and standard partitions residing on a single disk. Volumes can also be extended, giving greater flexibility to systems as requirements change."
11643
#: serverguide/C/installation.xml:883(para)
11644
msgid "A side effect of LVM's power and flexibility is a greater degree of complication. Before diving into the LVM installation process, it is best to get familiar with some terms."
11647
#: serverguide/C/installation.xml:890(para)
11648
msgid "<emphasis>Volume Group (VG):</emphasis> contains one or several Logical Volumes (LV)."
11651
#: serverguide/C/installation.xml:895(para)
11652
msgid "<emphasis>Logical Volume (LV):</emphasis> is similar to a partition in a non-LVM system. Multiple Physical Volumes (PV) can make up one LV, on top of which resides the actual EXT3, XFS, JFS, etc filesystem."
11655
#: serverguide/C/installation.xml:901(para)
11656
msgid "<emphasis>Physical Volume (PV):</emphasis> physical hard disk or software RAID partition. The Volume Group can be extended by adding more PVs."
11659
#: serverguide/C/installation.xml:912(para)
11660
msgid "As an example this section covers installing Ubuntu Server Edition with <filename role=\"directory\">/srv</filename> mounted on a LVM volume. During the initial install only one Physical Volume (PV) will be part of the Volume Group (VG). Another PV will be added after install to demonstrate how a VG can be extended."
11663
#: serverguide/C/installation.xml:918(para)
11664
msgid "There are several installation options for LVM, <emphasis>\"Guided - use the entire disk and setup LVM\"</emphasis> which will also allow you to assign a portion of the available space to LVM, <emphasis>\"Guided - use entire and setup encrypted LVM\"</emphasis>, or <emphasis>Manually</emphasis> setup the partitions and configure LVM. At this time the only way to configure a system with both LVM and standard partitions, during installation, is to use the Manual approach."
11667
#: serverguide/C/installation.xml:935(para)
11668
msgid "At the <emphasis>\"Partition Disks</emphasis> screen choose <emphasis>\"Manual\"</emphasis>."
11671
#: serverguide/C/installation.xml:942(para)
11672
msgid "Select the hard disk and on the next screen choose \"yes\" to <emphasis>\"Create a new empty partition table on this device\"</emphasis>."
11675
#: serverguide/C/installation.xml:949(para)
11676
msgid "Next, create standard <emphasis>/boot</emphasis>, <emphasis>swap</emphasis>, and <emphasis>/</emphasis> partitions with whichever filesystem you prefer."
11679
#: serverguide/C/installation.xml:957(para)
11680
msgid "For the LVM <emphasis>/srv</emphasis>, create a new <emphasis>Logical</emphasis> partition. Then change <emphasis>\"Use as\"</emphasis> to <emphasis>\"physical volume for LVM\"</emphasis> then <emphasis>\"Done setting up the partition\"</emphasis>."
11683
#: serverguide/C/installation.xml:965(para)
11684
msgid "Now select <emphasis>\"Configure the Logical Volume Manager\"</emphasis> at the top, and choose <emphasis>\"Yes\"</emphasis> to write the changes to disk."
11687
#: serverguide/C/installation.xml:973(para)
11688
msgid "For the <emphasis>\"LVM configuration action\"</emphasis> on the next screen, choose <emphasis>\"Create volume group\"</emphasis>. Enter a name for the VG such as <emphasis>vg01</emphasis>, or something more descriptive. After entering a name, select the partition configured for LVM, and choose <emphasis>\"Continue\"</emphasis>."
11691
#: serverguide/C/installation.xml:982(para)
11692
msgid "Back at the <emphasis>\"LVM configuration action\"</emphasis> screen, select <emphasis>\"Create logical volume\"</emphasis>. Select the newly created volume group, and enter a name for the new LV, for example <emphasis>srv</emphasis> since that is the intended mount point. Then choose a size, which may be the full partition because it can always be extended later. Choose <emphasis>\"Finish\"</emphasis> and you should be back at the main <emphasis>\"Partition Disks\"</emphasis> screen."
11695
#: serverguide/C/installation.xml:992(para)
11696
msgid "Now add a filesystem to the new LVM. Select the partition under <emphasis>\"LVM VG vg01, LV srv\"</emphasis>, or whatever name you have chosen, the choose <emphasis>Use as</emphasis>. Setup a file system as normal selecting <emphasis>/srv</emphasis> as the mount point. Once done, select <emphasis>\"Done setting up the partition\"</emphasis>."
11699
#: serverguide/C/installation.xml:1001(para)
11700
msgid "Finally, select <emphasis>\"Finish partitioning and write changes to disk\"</emphasis>. Then confirm the changes and continue with the rest of the installation."
11703
#: serverguide/C/installation.xml:1009(para)
18549
11704
msgid "There are some useful utilities to view information about LVM:"
18552
#: serverguide/C/installation.xml:1012(para)
18554
"<emphasis>vgdisplay:</emphasis> shows information about Volume Groups."
18557
#: serverguide/C/installation.xml:1013(para)
18559
"<emphasis>lvdisplay:</emphasis> has information about Logical Volumes."
18562
11707
#: serverguide/C/installation.xml:1014(para)
18564
"<emphasis>pvdisplay:</emphasis> similarly displays information about "
18565
"Physical Volumes."
18568
#: serverguide/C/installation.xml:1019(title)
11708
msgid "<emphasis>vgdisplay:</emphasis> shows information about Volume Groups."
11711
#: serverguide/C/installation.xml:1015(para)
11712
msgid "<emphasis>lvdisplay:</emphasis> has information about Logical Volumes."
11715
#: serverguide/C/installation.xml:1016(para)
11716
msgid "<emphasis>pvdisplay:</emphasis> similarly displays information about Physical Volumes."
11719
#: serverguide/C/installation.xml:1021(title)
18569
11720
msgid "Extending Volume Groups"
18572
#: serverguide/C/installation.xml:1021(para)
18574
"Continuing with <emphasis>srv</emphasis> as an LVM volume example, this "
18575
"section covers adding a second hard disk, creating a Physical Volume (PV), "
18576
"adding it to the volume group (VG), extending the logical volume <filename "
18577
"role=\"directory\">srv</filename> and finally extending the filesystem. This "
18578
"example assumes a second hard disk has been added to the system. This hard "
18579
"disk will be named <filename>/dev/sdb</filename> in our example. BEWARE: "
18580
"make sure you don't already have an existing <filename>/dev/sdb</filename> "
18581
"before issuing the commands below. You could lose some data if you issue "
18582
"those commands on a non-empty disk. In our example we will use the entire "
18583
"disk as a physical volume (you could choose to create partitions and use "
18584
"them as different physical volumes)"
11723
#: serverguide/C/installation.xml:1023(para)
11724
msgid "Continuing with <emphasis>srv</emphasis> as an LVM volume example, this section covers adding a second hard disk, creating a Physical Volume (PV), adding it to the volume group (VG), extending the logical volume <filename role=\"directory\">srv</filename> and finally extending the filesystem. This example assumes a second hard disk has been added to the system. This hard disk will be named <filename>/dev/sdb</filename> in our example. BEWARE: make sure you don't already have an existing <filename>/dev/sdb</filename> before issuing the commands below. You could lose some data if you issue those commands on a non-empty disk. In our example we will use the entire disk as a physical volume (you could choose to create partitions and use them as different physical volumes)"
18587
#: serverguide/C/installation.xml:1033(para)
11727
#: serverguide/C/installation.xml:1035(para)
18588
11728
msgid "First, create the physical volume, in a terminal execute:"
18591
#: serverguide/C/installation.xml:1038(command)
11731
#: serverguide/C/installation.xml:1040(command)
18592
11732
msgid "sudo pvcreate /dev/sdb"
18595
#: serverguide/C/installation.xml:1044(para)
11735
#: serverguide/C/installation.xml:1046(para)
18596
11736
msgid "Now extend the Volume Group (VG):"
18599
#: serverguide/C/installation.xml:1049(command)
11739
#: serverguide/C/installation.xml:1051(command)
18600
11740
msgid "sudo vgextend vg01 /dev/sdb"
18603
#: serverguide/C/installation.xml:1055(para)
18605
"Use <application>vgdisplay</application> to find out the free physical "
18606
"extents - Free PE / size (the size you can allocate). We will assume a free "
18607
"size of 511 PE (equivalent to 2GB with a PE size of 4MB) and we will use the "
18608
"whole free space available. Use your own PE and/or free space."
18611
#: serverguide/C/installation.xml:1061(para)
18613
"The Logical Volume (LV) can now be extended by different methods, we will "
18614
"only see how to use the PE to extend the LV:"
18617
#: serverguide/C/installation.xml:1066(command)
11743
#: serverguide/C/installation.xml:1057(para)
11744
msgid "Use <application>vgdisplay</application> to find out the free physical extents - Free PE / size (the size you can allocate). We will assume a free size of 511 PE (equivalent to 2GB with a PE size of 4MB) and we will use the whole free space available. Use your own PE and/or free space."
11747
#: serverguide/C/installation.xml:1063(para)
11748
msgid "The Logical Volume (LV) can now be extended by different methods, we will only see how to use the PE to extend the LV:"
11751
#: serverguide/C/installation.xml:1068(command)
18618
11752
msgid "sudo lvextend /dev/vg01/srv -l +511"
18621
#: serverguide/C/installation.xml:1069(para)
18623
"The <emphasis>-l</emphasis> option allows the LV to be extended using PE. "
18624
"The <emphasis>-L</emphasis> option allows the LV to be extended using Meg, "
18625
"Gig, Tera, etc bytes."
18628
#: serverguide/C/installation.xml:1077(para)
18630
"Even though you are supposed to be able to <emphasis>expand</emphasis> an "
18631
"ext3 or ext4 filesystem without unmounting it first, it may be a good "
18632
"pratice to unmount it anyway and check the filesystem, so that you don't "
18633
"mess up the day you want to reduce a logical volume (in that case unmounting "
18634
"first is compulsory)."
18637
#: serverguide/C/installation.xml:1083(para)
18639
"The following commands are for an <emphasis>EXT3</emphasis> or "
18640
"<emphasis>EXT4</emphasis> filesystem. If you are using another filesystem "
18641
"there may be other utilities available."
18644
#: serverguide/C/installation.xml:1090(command)
11755
#: serverguide/C/installation.xml:1071(para)
11756
msgid "The <emphasis>-l</emphasis> option allows the LV to be extended using PE. The <emphasis>-L</emphasis> option allows the LV to be extended using Meg, Gig, Tera, etc bytes."
11759
#: serverguide/C/installation.xml:1079(para)
11760
msgid "Even though you are supposed to be able to <emphasis>expand</emphasis> an ext3 or ext4 filesystem without unmounting it first, it may be a good pratice to unmount it anyway and check the filesystem, so that you don't mess up the day you want to reduce a logical volume (in that case unmounting first is compulsory)."
11763
#: serverguide/C/installation.xml:1085(para)
11764
msgid "The following commands are for an <emphasis>EXT3</emphasis> or <emphasis>EXT4</emphasis> filesystem. If you are using another filesystem there may be other utilities available."
11767
#: serverguide/C/installation.xml:1092(command)
18645
11768
msgid "sudo e2fsck -f /dev/vg01/srv"
18648
#: serverguide/C/installation.xml:1093(para)
18650
"The <emphasis>-f</emphasis> option of <application>e2fsck</application> "
18651
"forces checking even if the system seems clean."
11771
#: serverguide/C/installation.xml:1095(para)
11772
msgid "The <emphasis>-f</emphasis> option of <application>e2fsck</application> forces checking even if the system seems clean."
18654
#: serverguide/C/installation.xml:1100(para)
11775
#: serverguide/C/installation.xml:1102(para)
18655
11776
msgid "Finally, resize the filesystem:"
18658
#: serverguide/C/installation.xml:1105(command)
11779
#: serverguide/C/installation.xml:1107(command)
18659
11780
msgid "sudo resize2fs /dev/vg01/srv"
18662
#: serverguide/C/installation.xml:1111(para)
11783
#: serverguide/C/installation.xml:1113(para)
18663
11784
msgid "Now mount the partition and check its size."
18666
#: serverguide/C/installation.xml:1116(command)
11787
#: serverguide/C/installation.xml:1118(command)
18667
11788
msgid "mount /dev/vg01/srv /srv && df -h /srv"
18670
#: serverguide/C/installation.xml:1128(para)
18672
"See the <ulink url=\"http://tldp.org/HOWTO/LVM-HOWTO/index.html\">LVM "
18673
"HOWTO</ulink> for more information."
18676
#: serverguide/C/installation.xml:1133(para)
18678
"Another good article is <ulink "
18679
"url=\"http://www.linuxdevcenter.com/pub/a/linux/2006/04/27/managing-disk-"
18680
"space-with-lvm.html\">Managing Disk Space with LVM</ulink> on O'Reilly's "
18681
"linuxdevcenter.com site."
18684
#: serverguide/C/installation.xml:1140(para)
18686
"For more information on <application>fdisk</application> see the <ulink "
18687
"url=\"http://manpages.ubuntu.com/manpages/jaunty/en/man8/fdisk.8.html\">fdisk"
18688
" man page</ulink>."
11791
#: serverguide/C/installation.xml:1130(para)
11792
msgid "See the <ulink url=\"http://tldp.org/HOWTO/LVM-HOWTO/index.html\">LVM HOWTO</ulink> for more information."
11795
#: serverguide/C/installation.xml:1135(para)
11796
msgid "Another good article is <ulink url=\"http://www.linuxdevcenter.com/pub/a/linux/2006/04/27/managing-disk-space-with-lvm.html\">Managing Disk Space with LVM</ulink> on O'Reilly's linuxdevcenter.com site."
11799
#: serverguide/C/installation.xml:1142(para)
11800
msgid "For more information on <application>fdisk</application> see the <ulink url=\"http://manpages.ubuntu.com/manpages/jaunty/en/man8/fdisk.8.html\">fdisk man page</ulink>."
18691
11803
#: serverguide/C/file-server.xml:13(title)